Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

2 alerts match the current filters. tactic: TA0008 ✕ technique: T1651 ✕

Show ATT&CK heatmap
  • AWS SSM send command attempt Informational Cloud 2 variations

    An identity executed an AWS SSM Document.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    3 Days
    ATT&CK tactics: Lateral Movement (TA0008) Execution (TA0002)
    ATT&CK techniques: Remote Services: Direct Cloud VM Connections (T1021.008) Cloud Administration Command (T1651)
    Required data: AWS Audit Log
    Detector tags: Cloud Lateral Movement Analytics
    Attacker's goals: Gaining unauthorized access, executing unauthorized commands, or compromising sensitive information within the target system.
    Investigative actions: Examine the code in the SSM document, and the target objects. Validate the permissions and roles associated with the user initiating the SSM session to ensure they align with the expected level of access. Follow further actions taken by the identity or on the relevant targets.

    Variations

    AWS SSM SendCommand targeting multiple instances

    Low overridden

    An identity executed an AWS SSM Document. overridden

    Unusual AWS SSM send command

    Low overridden

    An identity executed an AWS SSM Document. overridden

  • Command execution via AWS SSM Medium Cloud

    A cloud identity performed multiple unusual activities leading to code execution using AWS Systems Manager service.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    30 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Execution (TA0002) Lateral Movement (TA0008)
    ATT&CK techniques: Cloud Administration Command (T1651) Remote Services: Direct Cloud VM Connections (T1021.008)
    Required data: AWS Audit Log
    Attacker's goals: Gaining unauthorized access, executing unauthorized commands or compromising sensitive information within the target system.
    Investigative actions: Investigate the activities related to the suspected identity. Examine the code executed on the target instance(s).