Analytics Alerts
Browse the Cortex analytics alert reference.
32 alerts match the current filters. technique: T1537 ✕
Show ATT&CK heatmapA Backup vault policy was modified Low Cloud
A cloud identity has modified backup vault access policy.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Manipulate access to a backup vault.Investigative actions: Check if the {identity_name} intended to modify the backup vault policy. Check additional activity by {identity_name}.A Cloud DB instance was exported to an unknown destination Informational Cloud
A Cloud DB instance was exported to a foreign storage destination.The destination storage has not been seen in the organization in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Gcp Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate sensitive database content to an external or attacker-controlled bucket.Investigative actions: Verify if the destination bucket is authorized for data export. Investigate the identity performing the action for unusual behavior or lack of authorization. Assess the sensitivity of the data within the source Cloud DB instance to determine impact.A GCP Cloud SQL DB instance was exported from a production account Informational Cloud
A GCP Cloud SQL DB instance was exported to a storage bucket.The DB instance was exported from a production account.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Gcp Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source Cloud DB instance. Review further actions performed by the identity.A cloud snapshot of AWS database or storage was modified or shared Informational Cloud 2 variations
A cloud identity has shared a snapshot of an AWS database or storage instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides on the snapshot.Investigative actions: Check if the identity intended to modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.Variations
Cloud snapshot of a database or storage instance was shared public
Low overridden
A cloud identity has shared a snapshot of an AWS database or storage instance. overridden
Cloud snapshot of a database or storage instance was shared with an unknown AWS account
Low overridden
A cloud identity has shared a snapshot of an AWS database or storage instance. overridden
A cloud storage object was copied to a foreign cloud account Medium Cloud 2 variations
A cloud storage object was copied or moved to a foreign cloud storage account.The destination account was either not monitored or not seen within your tenant for the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit Log Azure Audit LogDetector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate data to a foreign account.Investigative actions: Check the legitimacy of the copy operation. Review further actions performed by the identity.Variations
A cloud storage object from a sensitive bucket was copied to a foreign cloud account from a production account
High overridden
A cloud storage object was copied or moved to a foreign cloud storage account from a production account.The destination account was either not monitored or not seen within your tenant for the last 30 days. overridden
A cloud storage object was copied to a foreign cloud account from a production account
Medium overridden
A cloud storage object was copied or moved to a foreign cloud storage account from a production account.The destination account was either not monitored or not seen within your tenant for the last 30 days. overridden
AWS EC2 instance exported into S3 Informational Cloud
A running or stopped instance was exported to an Amazon S3 bucket.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Data Detection & ResponseAttacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.AWS Transfer Family server created Informational Cloud 1 variation
A cloud identity created server using AWS Transfer Family service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Attacker is trying to exfiltrate data out of AWS storage services.Investigative actions: Check if the AWS Transfer Family service is used by your organization. Check if {identity_name} created a server using this service before. Check which storage instances were affected by {transfer_server_id} server.Variations
Unusual cloud transfer service activity
Low overridden
A cloud identity created server using AWS Transfer Family service. overridden
An AWS EC2 instance containing sensitive data was exported Informational Cloud
A EC2 instance was exported to an S3 bucket.The instance was found to contain sensitive data.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Data Detection & ResponseAttacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.An AWS EC2 instance was exported from a production account Informational Cloud
An EC2 instance was exported from a production account to an S3 bucket.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Data Detection & ResponseAttacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.An AWS EC2 instance was exported into an unknown S3 bucket Informational Cloud
An EC2 instance was exported to an unknown S3 bucket.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 3 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Data Detection & ResponseAttacker's goals: An attack may exfiltrate data from an EC2 instance to an S3 bucket outside the account.Investigative actions: Check the identity that exported the instance. Check to which S3 bucket the EC2 was exported into. Check the S3 bucket permission and policy.An AWS RDS instance was created from a snapshot Informational Cloud
A new AWS RDS instance was created from a publicly available RDS snapshot.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Gain access to the RDS instance. Access confidential data stored in the RDS instance.Investigative actions: Check the RDS instance status in the AWS console. Verify if the instance is publicly accessible.An Azure SQL database was exported from a production subscription Informational Cloud
An Azure SQL database export was initiated.The database was exported from a production subscription.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Azure Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source SQL instance. Review further actions performed by the identity.An Azure VM snapshot SAS URL was generated for export from a production subscription Informational Cloud
A SAS URL for an Azure VM snapshot was generated.The operation was performed within a production subscription.SAS URLs allow others to download or export the snapshot.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Azure Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate the VM disk image to access sensitive data stored on the disk.Investigative actions: Verify if the identity is authorized to generate SAS URLs for VM snapshots. Check if the snapshot export aligns with scheduled maintenance or backup procedures. Review further actions performed by the identity to see if the snapshot was downloaded or accessed.An RDS snapshot containing sensitive data was exported Informational Cloud
An RDS snapshot containing sensitive data was exported to an S3 bucket.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the destination bucket. Review further logs for the source RDS instance. Review further actions performed by the identity.An RDS snapshot was exported from a production account Informational Cloud
An RDS snapshot was exported from a production account to an S3 bucket.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the destination bucket. Review further logs for the source RDS instance. Review further actions performed by the identity.An RDS snapshot was exported to an unknown S3 bucket Low Cloud 3 variations
An RDS snapshot was exported to an S3 bucket.The destination S3 bucket was not seen in your organization in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source snapshot ID. Review further actions performed by the identity and role.Variations
An RDS snapshot was exported to an unknown S3 bucket by an admin identity
Informational overridden
An RDS snapshot was exported to an S3 bucket.The destination S3 bucket was not seen in your organization in the last 30 days.The identity has an administrative behavior. overridden
An RDS snapshot was exported to an unknown S3 bucket with suspicious indicators
Medium overridden
An RDS snapshot was exported to an S3 bucket.The destination S3 bucket was not seen in your organization in the last 30 days. overridden
An RDS snapshot was exported to an unknown S3 bucket - denied attempt
Informational overridden
A denied attempt to export an RDS snapshot to an unknown S3 bucket. overridden
An RDS snapshot was exported to an unknown bucket Informational Cloud 1 variation
An RDS snapshot was exported to an unknown S3 bucket.The destination bucket has not been seen in your tenant in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & Response, Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the destination bucket. Review further logs for the source RDS instance. Review further actions performed by the identity.Variations
Failed RDS snapshot export attempt to an unknown bucket
Informational overridden
A failed attempt to export an RDS snapshot to an unknown bucket. overridden
An S3 replication policy to an unknown bucket was created Low Cloud 3 variations
An S3 replication policy was added to an S3 bucket.The referenced destination bucket was not seen in your tenant in the last 30 days.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate data to an unknown bucket.Investigative actions: Check the legitimacy of the referenced destination bucket. Review further logs for the source bucket. Review further actions performed by the identity.Variations
Unusual S3 replication policy to an unknown bucket was created
Low overridden
An S3 replication policy was added to an S3 bucket.The referenced destination bucket was not seen in your tenant in the last 30 days.The operation was not performed in your organization in the last 30 days. overridden
An S3 replication policy to an unknown bucket was created by an admin identity
Informational overridden
An S3 replication policy was added to an S3 bucket.The referenced destination bucket was not seen in your tenant in the last 30 days.The identity has an administrative behavior. overridden
An S3 replication policy to an unknown bucket was created - denied attempt
Low overridden
A denied attempt to create an S3 replication policy to an unknown bucket. overridden
An identity initiated a download of multiple cloud objects Informational Cloud 2 variations
An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Collection (TA0009) Exfiltration (TA0010)ATT&CK techniques: Data from Cloud Storage (T1530) Transfer Data to Cloud Account (T1537)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset ExfiltrationAttacker's goals: Exfiltrate data from the cloud environment.Investigative actions: Check the identity which invoked the operations. Check the accessed resource and verify it doesn't contain sensitive data.Variations
An identity initiated a download of multiple cloud objects in large volume compared to the project's usual volume
Medium overridden
An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.This large volume of downloaded cloud storage operations has not been in this project for the last 30 days. overridden
An identity initiated a download of multiple cloud objects in large volume compared to the bucket's usual volume
Low overridden
An identity initiated a download of multiple cloud objects.This might be an indication for an adversary trying to exfiltrate data from cloud storage.This large volume of downloaded cloud storage operations has not been seen in this bucket for the last 30 days. overridden
An unusual cloud identity was granted permissions to a BigQuery resource Informational Cloud 1 variation
An unusual cloud identity was granted permissions to a BigQuery table or dataset.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005)ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578)Required data: Gcp Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides inside BigQuery tables or datasets.Investigative actions: Check if {cloud_best_identity_match} intended to change BigQuery resource policy. Verify if the affected tables or datasets did not contain any sensitive information.Variations
Cloud admin granted an unknown identity permissions to a BigQuery resource
Informational overridden
An unusual cloud identity was granted permissions to a BigQuery table or dataset. overridden
Azure storage account cross-tenant object replication was enabled Informational Cloud 1 variation
Azure cross-tenant object replication in a storage account was enabled.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Azure Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Enable unauthorized data transfer to an external or attacker-controlled environment. Establish a persistent channel for ongoing data exfiltration. Conceal malicious activity by utilizing legitimate cross-tenant object replication functionality.Investigative actions: Confirm that the identity intended to enable cross-tenant replication. Follow further actions done by the identity. Monitor the storage account for other suspicious activities.Variations
Azure storage account cross-tenant object replication was enabled for the first time in a subscription
Low overridden
Azure cross-tenant object replication in a storage account was enabled for the first time in a subscription. overridden
Bedrock model shared with a foreign account Low Cloud
A bedrock model was shared with a foreign account through AWS resource access manager.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud AI Infrastructure AnalyticsAttacker's goals: Exfiltrate the proprietary model to a foreign account and establish persistent access to it.Investigative actions: Investigate the foreign cloud accounts that gained access to the models. Assess the sensitivity of the shared models to determine the potential impact of this exposure. Identify the actor and investigate their identity for compromise.BigQuery table or query results exfiltrated to a foreign project Informational Cloud 2 variations
A cloud identity exfiltrated BigQuery table data to a foreign storage service.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Gcp Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides inside BigQuery table.Investigative actions: Check if {cloud_best_identity_match} intended to transfer data from BigQuery table. Verify if the affected table did not contain any sensitive information.Variations
BigQuery table or query results exfiltrated to a foreign project by cloud admin identity
Informational overridden
A cloud identity exfiltrated BigQuery table data to a foreign storage service. overridden
BigQuery table or query results exfiltrated to a foreign project by an unknown identity
Low overridden
A cloud identity exfiltrated BigQuery table data to a foreign storage service. overridden
Bucket's block public access setting turned off Informational Cloud
S3 bucket block public access setting turned off.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Expose bucket to the public and maintain access to bucket's resources avoiding detection.Investigative actions: Check if {cloud_best_identity_match} intended to modify block public access settings. Check if the {bucket_name} bucket contains any sensitive information.Bucket's object ownership controls were modified Informational Cloud
S3 bucket object ownership controls were modified.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Data Detection & ResponseAttacker's goals: Maintain control and access to data that resides inside the S3 bucket.Investigative actions: Check if {cloud_best_identity_match} intended to modify bucket's object ownership. Check if the {aws_s3bucket_identifier} bucket contains any sensitive information.Cloud snapshot created or modified Informational Cloud 3 variations
A cloud identity has created or modified a cloud snapshot.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010) Defense Evasion (TA0005) Collection (TA0009)ATT&CK techniques: Transfer Data to Cloud Account (T1537) Modify Cloud Compute Infrastructure (T1578) Data from Cloud Storage (T1530)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides on the snapshot.Investigative actions: Check if the identity intended to create or modify the snapshot. Check if the identity performed additional malicious operations within the cloud environment.Variations
Cloud snapshot was configured for public access
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Cloud snapshot was shared with an unusual AWS account(s)
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Previously unseen GCP principal was bound to cloud snapshot
Low overridden
A cloud identity has created or modified a cloud snapshot. overridden
Cloud snapshot of a database or storage instance was publicly shared Medium Cloud
A cloud identity has publicly shared a snapshot of a database or storage instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Cloud Data Asset Public Exposure, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides on the snapshot.Investigative actions: Check if the identity intended to share the snapshot publicly. Check if the identity performed additional malicious operations within the cloud environment.EC2 instance Amazon machine image was created Informational Cloud
Amazon machine image was created from elastic compute cloud instance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogAttacker's goals: Creating Amazon machine images might be part of elastic compute cloud instance exfiltration chain.Investigative actions: Check if {identity_name} to create Amazon machine image. Check if the {cloud_aws_instance_id} instance did not contain any sensitive data.EC2 snapshot attribute has been modified Informational Cloud
The snapshot's permissions were modified (added/removed).
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Protection Tampering, Cloud Data Asset Configuration, Data Detection & ResponseAttacker's goals: Exfiltrate backup/stored information.Investigative actions: Check if the snapshot is shared with an unwanted account/actor.External Sharing was turned on for Google Drive Informational Identity Threat Module 3 variations
An identity has modified Google Drive sharing settings and allowed external sharing.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: Google Workspace Audit LogsDetector tags: Google WorkspaceAttacker's goals: Adversaries may exfiltrate data, such as sensitive documents.Investigative actions: Check if the identity intended to perform this action or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity). check the new setting details. Follow further actions done by the account.Variations
External Sharing was turned on for Google Drive by a non Google Workspace administrative user from an unusual ASN
Low overridden
An identity has modified Google Drive sharing settings and allowed external sharing. overridden
External Sharing was turned on for Google Drive by a non Google Workspace administrative user
Low overridden
An identity has modified Google Drive sharing settings and allowed external sharing. overridden
External Sharing was turned on for Google Drive from an unusual ASN
Low overridden
An identity has modified Google Drive sharing settings and allowed external sharing. overridden
Foreign account was granted permissions to S3 bucket via resource-based policy Informational Cloud 1 variation
Foreign account was granted access to S3 bucket.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: The attacker wants to maintain control over the resource.Investigative actions: Check if the {cloud_best_identity_match} intended to modify {aws_s3bucket_identifier} policy. Check the permissions that were granted to the {aws_grantee_project}. Restrict permissions for the {aws_grantee_project} if needed.Variations
Foreign account was granted permissions to S3 bucket containing sensitive information via resource-based policy
Low overridden
Foreign account was granted access to S3 bucket. overridden
Multiple cloud snapshots export Informational Cloud 4 variations
A cloud identity has downloaded multiple virtual machines or DB snapshots locally.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 2 Hours
- Deduplication:
- 5 Days
ATT&CK tactics: Exfiltration (TA0010)ATT&CK techniques: Transfer Data to Cloud Account (T1537)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Exfiltration, Data Detection & ResponseAttacker's goals: Exfiltrate sensitive data that resides on the disk.Investigative actions: Check if the identity intended to export the virtual machines or DB snapshots. Check if the identity performed additional operations in the cloud environment that might be malicious.Variations
Multiple cloud snapshots export
High overridden
A cloud identity has downloaded multiple virtual machines or DB snapshots from an external IP address. This action was unusual based on the cloud project history. overridden
Multiple cloud snapshots export
Medium overridden
A cloud identity has downloaded multiple virtual machines or DB snapshots from an external IP address. This action was unusual based on The cloud identity history. overridden
Multiple cloud snapshots export
Low overridden
A cloud identity has downloaded multiple virtual machines or DB snapshots locally.This action was unusual based on the unsuccessful attempts rate. overridden
Multiple cloud snapshots export
Low overridden
A cloud identity has downloaded multiple virtual machines or DB snapshots locally.This action was unusual based on the cloud project or identity history. overridden