Analytics Alerts
Browse the Cortex analytics alert reference.
11 alerts match the current filters. tactic: TA0010 ✕ technique: T1530 ✕
Show ATT&CK heatmapAn EBS snapshot block was downloaded Informational Cloud 2 variations
An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data from the cloud environment.Investigative actions: Check the accessed snapshot and corresponding volume. Monitor additional snapshot blocks downloads from the snapshot. Verify that the identity did not download any sensitive information that it shouldn't.Variations
An EBS snapshot block was downloaded from a snapshot with sensitive data
Medium overridden
An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.The snapshot contains sensitive data. overridden
An unusual download of EBS snapshot block
Low overridden
An EBS snapshot block was downloaded using the EBS direct API.This may indicate an attacker's attempt to exfiltrate data from a volume snapshot in the cloud environment.The operation was not performed by this identity in the last 30 days. overridden
An identity accessed a backup cloud storage Informational Cloud 1 variation
An identity accessed a backup cloud storage.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.Variations
An identity accessed a backup cloud storage which wasn't read recently
Low overridden
An identity accessed a backup cloud storage. overridden
An identity accessed a cloud storage for the first time Informational Cloud
An identity accessed a cloud storage resource for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Review the identity that invoked the operation. Verify the accessed resource and ensure it does not contain sensitive data.An identity accessed cloud storage containing sensitive data Informational Cloud
An identity accessed cloud storage containing sensitive data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.An identity initiated a download of multiple cloud objects Informational Cloud 2 variations
An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Transfer Data to Cloud Account (T1537)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operations. Check the accessed resource and verify it doesn't contain sensitive data.Variations
An identity initiated a download of multiple cloud objects in large volume compared to the project's usual volume
Medium overridden
An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.This large volume of downloaded cloud storage operations has not been in this project for the last 30 days. overridden
An identity initiated a download of multiple cloud objects in large volume compared to the bucket's usual volume
Low overridden
An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.This large volume of downloaded cloud storage operations has not been seen in this bucket for the last 30 days. overridden
An identity performed a suspicious download of multiple cloud storage objects Informational Cloud 4 variations
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data from the cloud environment.Investigative actions: Check the accessed bucket and objects designation. Verify that the identity did not download any sensitive information that it shouldn't.Variations
An identity performed a suspicious download of multiple cloud storage objects from an internal IP
Informational overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden
An identity performed a suspicious download of multiple cloud storage objects
High overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects had not been seen across all projects for the last 30 days. overridden
An identity performed a suspicious download of multiple cloud storage objects
Medium overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects had not been seen in this project for the last 30 days. overridden
An identity performed a suspicious download of multiple cloud storage objects from multiple buckets
Medium overridden
An identity downloaded multiple objects from cloud storage.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.This large volume of downloaded cloud storage objects from several buckets had not been seen for the last 30 days. overridden
An unusual read activity of cloud object Informational Cloud
An identity accessed a cloud object filetype for the first time.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation. Check the accessed resource and verify it doesn't contain sensitive data.Cloud snapshot created or modified Informational Cloud 3 variations
A cloud identity has created or modified a cloud snapshot.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005) Collection (TA0009)ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides on the snapshot.Investigative actions: Check if the identity intended to create or modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.Variations
Cloud snapshot was configured for public access
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Cloud snapshot was shared with an unusual AWS account(s)
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Previously unseen GCP principal was bound to cloud snapshot
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Data exfiltration from cloud database Low Cloud 2 variations
An identity tries to exfiltrate data from cloud database, as indicated by multiple signals.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operation.Variations
Data exfiltration from cloud database containing sensitive data from a production account toa foreign account
High overridden
An identity tries to exfiltrate data from cloud database, as indicated by multiple signals. overridden
Suspicious data exfiltration from cloud database
High overridden
An identity tries to exfiltrate data from cloud database, as indicated by multiple signals. overridden
Suspicious access to Kubernetes API with kubelet credentials Low Cloud 1 variation
A combination of signals has been detected indicating that kubelet credentials were used inside a pod to access the Kubernetes API. This activity suggests an attempt to escalate privileges or move laterally within the cluster.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Collection (TA0009)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: XDR Agent with eXtended Threat Hunting (XTH)Detector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Usage of the Kubernetes API server to perform operations inside the cluster.Investigative actions: Check if there is an active attack against the Kubernetes cluster.Variations
Suspicious access to Kubernetes API with kubelet credentials from unusual pod
Medium overridden
A combination of signals has been detected indicating that kubelet credentials were used inside a pod to access the Kubernetes API. This activity suggests an attempt to escalate privileges or move laterally within the cluster. overridden
Suspicious identity downloaded multiple objects from a bucket Low Cloud 3 variations
An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Automated Exfiltration (T1020)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data from the cloud environment.Investigative actions: Check the accessed bucket and objects designation. Verify that the identity did not download any sensitive information that it shouldn't.Variations
Suspicious identity with DevOps behavior downloaded multiple objects from a bucket
Informational overridden
An identity with DevOps behavior downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden
Suspicious identity downloaded multiple objects from a bucket that contains sensitive files
Medium overridden
An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. The bucket contains sensitive files. overridden
Suspicious identity downloaded multiple objects from a backup storage bucket
Medium overridden
An identity downloaded multiple objects from a bucket, considerably more than usual.This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment. overridden