Analytics Alerts
Browse the Cortex analytics alert reference.
4 alerts match the current filters. tactic: TA0002 ✕ technique: T1648 ✕
Show ATT&CK heatmapA cloud function was created with an unusual runtime Low Cloud 3 variations
A cloud function was created with an unusual runtime.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Serverless Execution (T1648)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Execute arbitrary code in cloud environments.Investigative actions: Examine the cloud function's code implementation and look for any unusual invocations. Check for any unusual activities within the same project.Variations
A cloud function was created with an unusual runtime by a known cloud identity
Informational overridden
A cloud function was created with an unusual runtime. overridden
A cloud function was created with a runtime that was not seen in the organization
Low overridden
A cloud function was created with an unusual runtime. overridden
A cloud function was created with a custom runtime
Medium overridden
A cloud function was created with an unusual runtime. overridden
An AWS Lambda Function was created Informational Cloud
An AWS Lambda Function was created.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002) Persistence (TA0003)ATT&CK techniques: Serverless Execution (T1648) Scheduled Task/Job: Scheduled Task (T1053.005)Required data: AWS Audit LogAttacker's goals: Execute malicious code on AWS using Lambda functions. Maintain persistence on AWS Lambda by creating or invoking Lambda functions.Investigative actions: Identify the Lambda function that was created and analyze its code for any malicious activity.An AWS Lambda function was modified Informational Cloud
An AWS Lambda function was modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Serverless Execution (T1648)Required data: AWS Audit LogAttacker's goals: Modification of Lambda functions may provide attackers access to run code against cloud environments.Investigative actions: Check what modifications were made to the AWS Lambda function.Penetration testing tool activity attempt Informational Identity Analytics 1 variation
A SaaS API was invoked by a penetration testing tool.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 2 Days
ATT&CK tactics: Execution (TA0002)ATT&CK techniques: Serverless Execution (T1648)Required data: Office 365 AuditAttacker's goals: Usage of known tools and frameworks.Investigative actions: Check if there is an active PT test ongoing.Variations
Penetration testing tool activity attempt
Medium overridden
A SaaS API was successfully invoked by a penetration testing tool. overridden