Analytics Alerts
Browse the Cortex analytics alert reference.
2 alerts match the current filters. technique: T1535 ✕
Show ATT&CK heatmapCompute activity in dormant cloud region Informational Cloud 3 variations
A compute resource was created or updated in a cloud region that has been dormant for this project.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Defense Evasion (TA0005)ATT&CK techniques: Unused/Unsupported Cloud Regions (T1535)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Create compute resources in unmonitored regions to evade detection for purposes such as hijacking resources or establishing persistence.Investigative actions: Verify if compute resources are authorized in this region. Terminate unauthorized compute resources and disable unused regions.Variations
Compute activity in dormant cloud region from a non-VPN IP address
Informational overridden
A compute resource was created or updated in a cloud region that has been dormant for this project. overridden
A cloud compute instance was created in a dormant region
Medium overridden
A compute resource was created or updated in a cloud region that has been dormant for this project. overridden
Compute activity in dormant cloud region by a compromised AWS access key
High overridden
A compute resource was created or updated in a cloud region that has been dormant for this project. overridden
Multi region enumeration activity Informational Cloud
An internal identity performed an operation on multiple regions, considerably more than usual.This may indicate an attacker's attempt to identify all available resources in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Defense Evasion (TA0005)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Unused/Unsupported Cloud Regions (T1535) Cloud Service Discovery (T1526)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Discover cloud resources that are available within the environment and leverage them to perform additional attacks against the organization. Detect unused geographic regions and leverage them to evade detection of malicious operations.Investigative actions: Check the identity designation. Verify that the identity did not perform any operation in a region that it shouldn't.