Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

4 alerts match the current filters. tactic: TA0002 ✕ technique: T1651 ✕

Show ATT&CK heatmap
  • AWS SSM send command attempt Informational Cloud 2 variations

    An identity executed an AWS SSM Document.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Cloud Administration Command (T1651)
    Required data: AWS Audit Log
    Detector tags: Cloud Lateral Movement Analytics
    Attacker's goals: Gaining unauthorized access, executing unauthorized commands, or compromising sensitive information within the target system.
    Investigative actions: Examine the code in the SSM document, and the target objects. Validate the permissions and roles associated with the user initiating the SSM session to ensure they align with the expected level of access. Follow further actions taken by the identity or on the relevant targets.

    Variations

    AWS SSM SendCommand targeting multiple instances

    Low overridden

    An identity executed an AWS SSM Document. overridden

    Unusual AWS SSM send command

    Low overridden

    An identity executed an AWS SSM Document. overridden

  • Cloud compute instance user data script modification Informational Cloud 1 variation

    The user data of a cloud compute instance was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Cloud Administration Command (T1651)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Execute commands within virtual machines.
    Investigative actions: Verify whether this action is expected. Inspect the user data script for malicious content.

    Variations

    Unusual Cloud compute instance user data script modification

    Low overridden

    The user data of a cloud compute instance was modified. overridden

  • Command execution via AWS SSM Medium Cloud

    A cloud identity performed multiple unusual activities leading to code execution using AWS Systems Manager service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)
    ATT&CK techniques: Cloud Administration Command (T1651) Remote Services: Direct Cloud VM Connections (T1021.008)
    Required data: AWS Audit Log
    Attacker's goals: Gaining unauthorized access, executing unauthorized commands or compromising sensitive information within the target system.
    Investigative actions: Investigate the activities related to the suspected identity. Examine the code executed on the target instance(s).
  • Suspicious cloud user data modification attempt followed by VM restart Low Cloud

    Suspicious user data modification followed by VM restart, possibly an attempt to run altered startup scripts at boot.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Cloud Administration Command (T1651)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Execute arbitrary code, establish persistence, or alter instance startup behavior through modified user data.
    Investigative actions: Review the identity who modified the instance user data. Inspect the user data script for malicious content.