Analytics Alerts
Browse the Cortex analytics alert reference.
3 alerts match the current filters. tactic: TA0006 ✕ technique: T1530 ✕
Show ATT&CK heatmapLarge volume of files potentially containing credentials accessed in Google Drive Informational Identity Threat Module 1 variation
A user accessed a large volume of files potentially containing credentials in Google Drive.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Credential Access (TA0006)ATT&CK techniques: Data from Cloud Storage (T1530) Unsecured Credentials (T1552)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: An attacker may attempt to gain unauthorized access by leveraging valid credentials found in Google Drive.Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Verify if the user account that accessed the files is authorized to access them. Review the files accessed and whether it was part of a breach or a legitimate activity. Monitor the account for any further suspicious actions.Variations
Possible credential files harvesting in Google Drive
Low overridden
A user accessed a large volume of files potentially containing credentials in Google Drive. overridden
Suspicious AWS SSM parameters retrieval activity Informational Cloud 1 variation
An identity dumped multiple AWS SSM parameters from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530)Required data: AWS Audit LogAttacker's goals: Collect secrets from the cloud environment.Investigative actions: Check the accessed parameters' designation. Verify that the identity did not dump any sensitive information that it shouldn't.Variations
A non admin identity extracted multiple secrets within the organization across multiple regions
Low overridden
An identity dumped multiple AWS SSM parameters from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
Suspicious secrets dump activity Informational Cloud 2 variations
An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530) Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Collect secrets from the cloud environment.Investigative actions: Check the accessed secrets' designation. Verify that the identity did not dump any sensitive information that it shouldn't.Variations
An identity extracted every secret within the organization across multiple regions
Medium overridden
An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden
An identity extracted multiple secrets within the organization across multiple regions
Low overridden
An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden