Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

21 alerts match the current filters. tactic: TA0009 ✕ technique: T1530 ✕

Show ATT&CK heatmap
  • An EBS snapshot block was downloaded Informational Cloud 2 variations

    An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data from the cloud environment.
    Investigative actions: Check the accessed snapshot and corresponding volume. Monitor additional snapshot blocks downloads from the snapshot. Verify that the identity did not download any sensitive information that it shouldn't.

    Variations

    An EBS snapshot block was downloaded from a snapshot with sensitive data

    Medium overridden

    An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.The snapshot contains sensitive data. overridden

    An unusual download of EBS snapshot block

    Low overridden

    An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.The operation was not performed by this identity in the last 30 days. overridden

  • An identity accessed a backup cloud storage Informational Cloud 1 variation

    An identity accessed a backup cloud storage.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.

    Variations

    An identity accessed a backup cloud storage which wasn't read recently

    Low overridden

    An identity accessed a backup cloud storage. overridden

  • An identity accessed a cloud storage for the first time Informational Cloud

    An identity accessed a cloud storage resource for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Review the identity that invoked the operation. Verify the accessed resource and ensure it does not contain sensitive data.
  • An identity accessed cloud storage containing sensitive data Informational Cloud

    An identity accessed cloud storage containing sensitive data.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.
  • An identity initiated a download of multiple cloud objects Informational Cloud 2 variations

    An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Transfer Data to Cloud Account (T1537)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operations. Check the accessed resource and verify it doesn't contain sensitive data.

    Variations

    An identity initiated a download of multiple cloud objects in large volume compared to the project's usual volume

    Medium overridden

    An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.This large volume of downloaded cloud storage operations has not been in this project for the last 30 days. overridden

    An identity initiated a download of multiple cloud objects in large volume compared to the bucket's usual volume

    Low overridden

    An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.This large volume of downloaded cloud storage operations has not been seen in this bucket for the last 30 days. overridden

  • An identity performed a suspicious download of multiple cloud storage objects Informational Cloud 4 variations

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data from the cloud environment.
    Investigative actions: Check the accessed bucket and objects designation. Verify that the identity did not download any sensitive information that it shouldn't.

    Variations

    An identity performed a suspicious download of multiple cloud storage objects from an internal IP

    Informational overridden

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden

    An identity performed a suspicious download of multiple cloud storage objects

    High overridden

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects had not been seen across all projects for the last 30 days. overridden

    An identity performed a suspicious download of multiple cloud storage objects

    Medium overridden

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects had not been seen in this project for the last 30 days. overridden

    An identity performed a suspicious download of multiple cloud storage objects from multiple buckets

    Medium overridden

    An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects from several buckets had not been seen for the last 30 days. overridden

  • An unusual read activity of cloud object Informational Cloud

    An identity accessed a cloud object filetype for the first time.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.
  • Cloud compute volume creation attempt Informational Cloud 1 variation

    An attempt was made to create an EBS volume.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Defense Evasion (TA0005) Collection (TA0009)
    ATT&CK techniques: Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)
    Required data: AWS Audit Log
    Attacker's goals: Exfiltrate sensitive data stored on snapshots.
    Investigative actions: Review recent activity related to the identity, the created volume and the cloud snapshot.

    Variations

    Cloud compute volume creation attempt using Cloud Formation or Terraform

    Informational overridden

    An attempt was made to create an EBS volume. overridden

  • Cloud snapshot created or modified Informational Cloud 3 variations

    A cloud identity has created or modified a cloud snapshot.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005) Collection (TA0009)
    ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data that resides on the snapshot.
    Investigative actions: Check if the identity intended to create or modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.

    Variations

    Cloud snapshot was configured for public access

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

    Cloud snapshot was shared with an unusual AWS account(s)

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

    Previously unseen GCP principal was bound to cloud snapshot

    Low overridden

    A cloud identity has created or modified a cloud snapshot. overridden

  • Data exfiltration from cloud database Low Cloud 2 variations

    An identity tries to exfiltrate data from cloud database, as indicated by multiple signals.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Exfiltrate data from the cloud environment.
    Investigative actions: Check the identity which invoked the operation.

    Variations

    Data exfiltration from cloud database containing sensitive data from a production account toa foreign account

    High overridden

    An identity tries to exfiltrate data from cloud database, as indicated by multiple signals. overridden

    Suspicious data exfiltration from cloud database

    High overridden

    An identity tries to exfiltrate data from cloud database, as indicated by multiple signals. overridden

  • EBS snapshots were created from an EC2 instance Informational Cloud 2 variations

    One or more EBS snapshots were created from an EC2 instance.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530)
    Required data: AWS Audit Log
    Attacker's goals: Clone existing compute volumes for exfiltration purposes. This action may be a preliminary action before downloading snapshot blocks or creating volumes from the snapshots.
    Investigative actions: Confirm that the identity intended to create the described snapshots. Monitor the source instance for additional suspicious activities. Follow further actions done by the identity.

    Variations

    EBS snapshots were created from an EC2 instance attached one or more volumes with sensitive data

    Informational overridden

    One or more EBS snapshots were created from an EC2 instance.The instance has one or more volumes attached containing sensitive data. overridden

    An unusual creation of EBS snapshots from an EC2 instances

    Low overridden

    One or more EBS snapshots were created from an EC2 instance.The operation was not performed by this identity in the last 30 days. overridden

  • External SaaS file-sharing activity Informational Identity Threat Module 1 variation

    A user shared files from within a SaaS service to an external domain.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530)
    Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 Audit
    Attacker's goals: An attacker may share files from a SaaS service to exfiltrate sensitive data.
    Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Determine if the files are shared with users outside the organization and if the recipients are familiar. Review the files that were shared to determine if they contain sensitive data. Analyze the file types that were shared. Monitor the account for any further suspicious actions.

    Variations

    SaaS external file sharing to an abnormal domain

    Low overridden

    A user shared files to an external domain, which the organization does not typically share files with. overridden

  • Large volume of files potentially containing credentials accessed in Google Drive Informational Identity Threat Module 1 variation

    A user accessed a large volume of files potentially containing credentials in Google Drive.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009) Credential Access (TA0006)
    ATT&CK techniques: Data from Cloud Storage (T1530) Unsecured Credentials (T1552)
    Required data: Google Workspace Audit Logs
    Detector tags: Google Workspace
    Attacker's goals: An attacker may attempt to gain unauthorized access by leveraging valid credentials found in Google Drive.
    Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Verify if the user account that accessed the files is authorized to access them. Review the files accessed and whether it was part of a breach or a legitimate activity. Monitor the account for any further suspicious actions.

    Variations

    Possible credential files harvesting in Google Drive

    Low overridden

    A user accessed a large volume of files potentially containing credentials in Google Drive. overridden

  • Massive file downloads from SaaS service Informational Identity Threat Module Email 3 variations

    A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530)
    Required data: Box Audit Log DropBox Google Workspace Audit Logs Office 365 Audit
    Attacker's goals: An attacker may download files from a SaaS service to exfiltrate sensitive data.
    Investigative actions: Check for signs of account compromise, such as abnormal login activity or unusual behavior. Review the files that were downloaded to determine if they contain sensitive data. Verify if the user account that downloaded the files is authorized to access them. Analyze the file types that were downloaded. Monitor the account for any further suspicious actions.

    Variations

    Suspicious SaaS service file downloads

    Low overridden

    A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior. The user connected from an unknown IP and displayed suspicious characteristics. overridden

    Massive file downloads from SaaS service by terminated user

    Low overridden

    A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior. overridden

    Massive code file downloads from SaaS service

    Low overridden

    A user downloaded a large volume of files from an organizational SaaS service, either exceeding the normal file count or size for the user's typical behavior. overridden

  • Microsoft 365 storage services exfiltration activity Low Cloud

    The Microsoft Graph API was used to download Microsoft OneDrive and SharePoint files.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530)
    Required data: Azure Audit Log Microsoft Graph Logs
    Detector tags: Microsoft Graph Activity Logs
    Attacker's goals: To extract sensitive information stored in Microsoft 365 storage services.
    Investigative actions: Determine which items were downloaded and whether they contained any sensitive information. Investigate the identity following actions.
  • Suspicious AWS SSM parameters retrieval activity Informational Cloud 1 variation

    An identity dumped multiple AWS SSM parameters from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)
    ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530)
    Required data: AWS Audit Log
    Attacker's goals: Collect secrets from the cloud environment.
    Investigative actions: Check the accessed parameters' designation. Verify that the identity did not dump any sensitive information that it shouldn't.

    Variations

    A non admin identity extracted multiple secrets within the organization across multiple regions

    Low overridden

    An identity dumped multiple AWS SSM parameters from the project.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden

  • Suspicious ML Model Download Informational Cloud 1 variation

    A model artifact was accessed from cloud storage by an identity that typically doesn't interact with model files.MITRE ATLAS Technique: AML.T0035 - ML Artifact Collection.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud AI Infrastructure Analytics
    Attacker's goals: Adversaries may collect ML artifacts for exfiltration or for use in ML Attack Staging.
    Investigative actions: Examine the bucket to determine which model was accessed. Verify that this command was executed by a trusted source.

    Variations

    Suspicious First-Time AI Model Download by Identity

    Medium overridden

    A model artifact was accessed from cloud storage by an identity that did not interact with model files recently. overridden

  • Suspicious access to Kubernetes API with kubelet credentials Low Cloud 1 variation

    A combination of signals has been detected indicating that kubelet credentials were used inside a pod to access the Kubernetes API. This activity suggests an attempt to escalate privileges or move laterally within the cluster.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    1 Day
    ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: XDR Agent with eXtended Threat Hunting (XTH)
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.
    Investigative actions: Check if there is an active attack against the Kubernetes cluster.

    Variations

    Suspicious access to Kubernetes API with kubelet credentials from unusual pod

    Medium overridden

    A combination of signals has been detected indicating that kubelet credentials were used inside a pod to access the Kubernetes API. This activity suggests an attempt to escalate privileges or move laterally within the cluster. overridden

  • Suspicious identity downloaded multiple objects from a bucket Low Cloud 3 variations

    An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)
    ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Exfiltration, Data Detection & Response
    Attacker's goals: Exfiltrate sensitive data from the cloud environment.
    Investigative actions: Check the accessed bucket and objects designation. Verify that the identity did not download any sensitive information that it shouldn't.

    Variations

    Suspicious identity with DevOps behavior downloaded multiple objects from a bucket

    Informational overridden

    An identity with DevOps behavior downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden

    Suspicious identity downloaded multiple objects from a bucket that contains sensitive files

    Medium overridden

    An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. The bucket contains sensitive files. overridden

    Suspicious identity downloaded multiple objects from a backup storage bucket

    Medium overridden

    An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden

  • Suspicious secrets dump activity Informational Cloud 2 variations

    An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)
    ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530) Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Collect secrets from the cloud environment.
    Investigative actions: Check the accessed secrets' designation. Verify that the identity did not dump any sensitive information that it shouldn't.

    Variations

    An identity extracted every secret within the organization across multiple regions

    Medium overridden

    An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden

    An identity extracted multiple secrets within the organization across multiple regions

    Low overridden

    An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden

  • User accessed SaaS resource via anonymous link Informational Identity Threat Module 2 variations

    A user accessed a SaaS resource via an anonymous link.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Collection (TA0009)
    ATT&CK techniques: Data from Cloud Storage (T1530)
    Required data: Google Workspace Audit Logs Office 365 Audit
    Attacker's goals: An attacker is attempting to collect sensitive data.
    Investigative actions: Check the IP address from which the access originated. Examine the file that was accessed for any sensitive indicators. Follow further actions taken, such as downloading files.

    Variations

    External user accessed a sensitive SaaS file via anonymous link

    Low overridden

    An external user accessed a sensitive SaaS file via an anonymous link. overridden

    User accessed a public Google Drive document

    Informational overridden

    A user accessed a Google Drive document that is public on the web. overridden