Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. tactic: TA0005 ✕ technique: T1535 ✕

Show ATT&CK heatmap
  • Compute activity in dormant cloud region Informational Cloud 3 variations

    A compute resource was created or updated in a cloud region that has been dormant for this project.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005)
    ATT&CK techniques: Unused/Unsupported Cloud Regions (T1535)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Create compute resources in unmonitored regions to evade detection for purposes such as hijacking resources or establishing persistence.
    Investigative actions: Verify if compute resources are authorized in this region. Terminate unauthorized compute resources and disable unused regions.

    Variations

    Compute activity in dormant cloud region from a non-VPN IP address

    Informational overridden

    A compute resource was created or updated in a cloud region that has been dormant for this project. overridden

    A cloud compute instance was created in a dormant region

    Medium overridden

    A compute resource was created or updated in a cloud region that has been dormant for this project. overridden

    Compute activity in dormant cloud region by a compromised AWS access key

    High overridden

    A compute resource was created or updated in a cloud region that has been dormant for this project. overridden

  • Multi region enumeration activity Informational Cloud

    An internal identity performed an operation on multiple regions, considerably more than usual.This may indicate an attacker's attempt to identify all available resources in the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Defense Evasion (TA0005)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Unused/Unsupported Cloud Regions (T1535) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Discover cloud resources that are available within the environment and leverage them to perform additional attacks against the organization. Detect unused geographic regions and leverage them to evade detection of malicious operations.
    Investigative actions: Check the identity designation. Verify that the identity did not perform any operation in a region that it shouldn't.