Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

17 alerts match the current filters. tactic: TA0007 ✕ technique: T1580 ✕

Show ATT&CK heatmap
  • AWS EBS discovery operation Informational Cloud

    AWS EBS discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Storage Object Discovery (T1619)
    Required data: AWS Audit Log
    Attacker's goals: Locate valuable data, understand storage configurations, and identify snapshots that can be copied or shared. Support data exfiltration, lateral movement, or persistence through volume or snapshot manipulation.
    Investigative actions: Verify if the identity typically queries EBS volumes or snapshots in this environment. Check whether this activity is part of expected workflows (e.g., backup validation, provisioning) or appears anomalous. Review surrounding activity for other discovery calls to assess broader enumeration behavior. Examine whether the activity was followed by potential exfiltration steps, such as copying a snapshot cross-region or sharing it externally.
  • AWS EBS enumeration activity Informational Cloud

    EBS volume and snapshot enumeration activity, potentially indicating block storage reconnaissance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Identify existing EBS volumes and snapshots to understand what storage resources are available and in use. Assess if snapshots are shared with other accounts or publicly accessible. Identify potential data exfiltration paths or targets.
    Investigative actions: Review which EBS API calls were executed and their frequency. Analyze the identity performing the actions. Inspect sharing or access configurations of enumerated snapshots.
  • AWS EC2 discovery operation Informational Cloud 3 variations

    AWS EC2 discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Gather information about instances to identify targets and understand the environment. Plan lateral movement or privilege escalation.
    Investigative actions: Verify if the identity is authorized to perform EC2 queries and whether this activity aligns with its normal behavior. Check if there were related API calls before or after this event. Determine if the activity is part of a scheduled task or an unexpected manual request. Investigate whether this was followed by any actions that could indicate lateral movement.

    Variations

    AWS VPC discovery operation

    Informational overridden

    AWS EC2 discovery operation. overridden

    AWS Site-to-Site VPN discovery operation

    Informational overridden

    AWS EC2 discovery operation. overridden

    AWS PrivateLink discovery operation

    Informational overridden

    AWS EC2 discovery operation. overridden

  • AWS EC2 infrastructure enumeration activity Informational Cloud

    EC2 infrastructure enumeration activity detected within a specific AWS region.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580)
    Required data: AWS Audit Log
    Attacker's goals: Discover EC2 resources and network setup to find potential weaknesses or targets. Use the gathered information to enable lateral movement, privilege escalation, or data exfiltration.
    Investigative actions: Identify and review the specific EC2 enumeration API calls executed and their frequency. Verify the identity performing the calls and assess if this behavior is typical or anomalous. Correlate with other discovery activities and check related logs for suspicious patterns or subsequent actions.
  • AWS Lambda discovery operation Informational Cloud

    AWS Lambda discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Enumerate functions, gather configuration and trigger details, and identify attached roles or permissions. Assess potential entry points, understand execution context, and plan privilege escalation or function tampering.
    Investigative actions: Verify if the identity is expected to access Lambda configuration or code metadata. Check if this API call was part of a broader enumeration pattern. Determine whether the activity aligns with typical deployment or monitoring behavior, or if it appears manual or anomalous. Investigate whether this was followed by any actions that could indicate lateral movement.
  • AWS Lambda infrastructure enumeration activity Informational Cloud

    Lambda infrastructure enumeration activity detected within a specific AWS region.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580)
    Required data: AWS Audit Log
    Attacker's goals: Discover deployed functions and their configurations. Assess IAM policies, event triggers, and execution limits to evaluate privilege levels and potential abuse paths. Enumerate metadata for potential weaknesses or sensitive data.
    Investigative actions: Identify and review the specific Lambda enumeration API calls executed and their frequency. Verify the identity performing the calls and assess if this behavior is typical or anomalous. Correlate with other discovery activities and check related logs for suspicious patterns or subsequent actions.
  • AWS S3 Buckets enumeration activity Informational Cloud

    Enumeration of S3 buckets, suggesting potential cloud storage reconnaissance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580)
    Required data: AWS Audit Log
    Attacker's goals: Discover available S3 buckets in the environment. Enumerate objects within buckets to determine the type and structure of stored data. Evaluate public access configurations of buckets to identify potential exposure or misconfigurations.
    Investigative actions: Identify the identity performing the calls and determine if this behavior aligns with their typical access patterns. Check access control policies and public access settings on the enumerated buckets for misconfigurations or unauthorized access attempts.
  • AWS Security Service Enumeration Informational Cloud 1 variation

    AWS security service enumeration activity, potentially indicating reconnaissance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    15 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Software Discovery (T1518) Software Discovery: Security Software Discovery (T1518.001) Cloud Infrastructure Discovery (T1580)
    Required data: AWS Audit Log
    Attacker's goals: Reconnaissance of security defenses to assess and identify exploitable weaknesses.
    Investigative actions: Review which API calls were executed and their frequency. Analyze the identity performing the actions. Inspect configurations of enumerated services.

    Variations

    AWS Multiple Security Services Enumeration

    Informational overridden

    AWS security service enumeration activity, potentially indicating reconnaissance. overridden

  • AWS Storage Gateway enumeration Informational Cloud

    An AWS Storage Gateway was enumerated.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Enumerate the organizational structure to plan lateral movement.
    Investigative actions: Review recent activity related to the identity and the affected cloud environment. Check for other enumeration activity or attempts to access sensitive resources.
  • AWS Storage Gateway file share enumeration Informational Cloud

    AWS Storage Gateway file shares were enumerated.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log
    Attacker's goals: Enumerate the organizational structure to plan lateral movement.
    Investigative actions: Review recent activity related to the identity and the affected cloud environment. Check for other enumeration activity or attempts to access sensitive resources.
  • AWS support case creation Informational Cloud

    A cloud identity has created a new case in AWS support.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Account Manipulation (T1098)
    Required data: AWS Audit Log
    Attacker's goals: Obtaining a list of resources that could be targeted for lateral movement or convincing AWS's support to perform actions on their behalf.
    Investigative actions: Investigate any unusual activity originating from the suspected identity. View the contents of the newly created case {case_id} .
  • Cloud email infrastructure enumeration activity Informational Cloud

    A cloud identity attempted to discover available email sending resources within the cloud environment.This may indicate an adversary attempting to map the organization's email sending environment and discover cloud resources that may assist to send phishing emails or spam.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Azure Audit Log
    Attacker's goals: Map the cloud email environment and detect potential email resources to abuse.
    Investigative actions: Check the identity's role designation in the organization. Identify which available email resources were discovered. Investigate if the discovered email resources were used to send phishing emails or spam, or perform other attacks in the cloud environment.
  • Cloud infrastructure enumeration activity Informational Cloud 1 variation

    A cloud identity attempted to discover available resources within the cloud environment.This may indicate an adversary attempting to map the organization's cloud environment and discover cloud resources that may assist to perform additional attacks within the environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Map the cloud environment and detect potential resources to abuse.
    Investigative actions: Check the identity's role designation in the organization. Identify which available resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.

    Variations

    Suspicious cloud infrastructure enumeration activity

    Low overridden

    A cloud identity attempted to discover available resources within the cloud environment.This may indicate an adversary attempting to map the organization's cloud environment and discover cloud resources that may assist to perform additional attacks within the environment. overridden

  • IAM instance profile associations were described Informational Cloud

    AWS IAM instance profile associations were described.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580)
    Required data: AWS Audit Log
    Attacker's goals: Discover infrastructure and resources that are available within a cloud environment.
    Investigative actions: Determine which instance profile associations were described. Investigate any suspicious activities related to the identity.
  • Multi region enumeration activity Informational Cloud

    An internal identity performed an operation on multiple regions, considerably more than usual.This may indicate an attacker's attempt to identify all available resources in the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007) Defense Evasion (TA0005)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Unused/Unsupported Cloud Regions (T1535) Cloud Service Discovery (T1526)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Discover cloud resources that are available within the environment and leverage them to perform additional attacks against the organization. Detect unused geographic regions and leverage them to evade detection of malicious operations.
    Investigative actions: Check the identity designation. Verify that the identity did not perform any operation in a region that it shouldn't.
  • Storage enumeration activity Informational Cloud

    An identity attempted to discover cloud objects within storage buckets.This might be an attempt by an adversary to find sensitive data stored in cloud storage, which could lead to data theft.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Storage Object Discovery (T1619) Cloud Infrastructure Discovery (T1580)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Stealth Tactics, Data Detection & Response
    Attacker's goals: Access sensitive data stored in cloud infrastructure.
    Investigative actions: Check the identity's role designation in the organization. Identify which storage buckets were enumerated and whether they contained sensitive information.
  • Unusual multi-region AWS Resource Explorer searches Informational Cloud

    An identity performed unusual discovery activity in multiple regions using Resource Explorer's Search operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Account Discovery: Cloud Account (T1087.004)
    Required data: AWS Audit Log
    Attacker's goals: Obtain a list of resources that could be targeted for lateral movement.
    Investigative actions: Investigate any unusual activity originating from the suspected identity.