Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. tactic: TA0006 ✕ technique: T1526 ✕

Show ATT&CK heatmap
  • AWS SSM parameters discovery Informational Cloud 1 variation

    An attempt was made to list parameters stored in AWS SSM.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive secrets stored in SSM parameter store.
    Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.

    Variations

    Unusual AWS SSM parameters discovery

    Informational overridden

    An attempt was made to list parameters stored in AWS SSM. overridden

  • AWS Secrets Manager discovery Informational Cloud 1 variation

    An attempt was made to list secrets from AWS Secrets Manager.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Discovery (TA0007)
    ATT&CK techniques: Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive secrets stored in AWS Secrets Manager.
    Investigative actions: Check if the secrets manager activity aligns with known workflows or automation, or if it indicates abnormal activity. Follow further actions done by the identity.

    Variations

    Unusual AWS Secrets Manager discovery

    Informational overridden

    An attempt was made to list secrets from AWS Secrets Manager. overridden