Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

1 alert match the current filters. tactic: TA0009 ✕ technique: T1555 ✕

Show ATT&CK heatmap
  • Suspicious secrets dump activity Informational Cloud 2 variations

    An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    1 Hour
    Deduplication:
    5 Days
    ATT&CK tactics: Credential Access (TA0006) Collection (TA0009)
    ATT&CK techniques: Unsecured Credentials (T1552) Data from Cloud Storage (T1530) Credentials from Password Stores: Cloud Secrets Management Stores (T1555.006)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Collect secrets from the cloud environment.
    Investigative actions: Check the accessed secrets' designation. Verify that the identity did not dump any sensitive information that it shouldn't.

    Variations

    An identity extracted every secret within the organization across multiple regions

    Medium overridden

    An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden

    An identity extracted multiple secrets within the organization across multiple regions

    Low overridden

    An identity dumped multiple secrets from the project, considerably more than usual.This may indicate an attacker's attempt to dump sensitive information from the cloud environment. overridden