Analytics Alerts
Browse the Cortex analytics alert reference.
17 alerts match the current filters. technique: T1580 ✕
Show ATT&CK heatmapAWS EBS discovery operation Informational Cloud
AWS EBS discovery operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Storage Object Discovery (T1619)Required data: AWS Audit LogAttacker's goals: Locate valuable data, understand storage configurations, and identify snapshots that can be copied or shared. Support data exfiltration, lateral movement, or persistence through volume or snapshot manipulation.Investigative actions: Verify if the identity typically queries EBS volumes or snapshots in this environment. Check whether this activity is part of expected workflows (e.g., backup validation, provisioning) or appears anomalous. Review surrounding activity for other discovery calls to assess broader enumeration behavior. Examine whether the activity was followed by potential exfiltration steps, such as copying a snapshot cross-region or sharing it externally.AWS EBS enumeration activity Informational Cloud
EBS volume and snapshot enumeration activity, potentially indicating block storage reconnaissance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Identify existing EBS volumes and snapshots to understand what storage resources are available and in use. Assess if snapshots are shared with other accounts or publicly accessible. Identify potential data exfiltration paths or targets.Investigative actions: Review which EBS API calls were executed and their frequency. Analyze the identity performing the actions. Inspect sharing or access configurations of enumerated snapshots.AWS EC2 discovery operation Informational Cloud 3 variations
AWS EC2 discovery operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Gather information about instances to identify targets and understand the environment. Plan lateral movement or privilege escalation.Investigative actions: Verify if the identity is authorized to perform EC2 queries and whether this activity aligns with its normal behavior. Check if there were related API calls before or after this event. Determine if the activity is part of a scheduled task or an unexpected manual request. Investigate whether this was followed by any actions that could indicate lateral movement.Variations
AWS VPC discovery operation
Informational overridden
AWS EC2 discovery operation. overridden
AWS Site-to-Site VPN discovery operation
Informational overridden
AWS EC2 discovery operation. overridden
AWS PrivateLink discovery operation
Informational overridden
AWS EC2 discovery operation. overridden
AWS EC2 infrastructure enumeration activity Informational Cloud
EC2 infrastructure enumeration activity detected within a specific AWS region.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580)Required data: AWS Audit LogAttacker's goals: Discover EC2 resources and network setup to find potential weaknesses or targets. Use the gathered information to enable lateral movement, privilege escalation, or data exfiltration.Investigative actions: Identify and review the specific EC2 enumeration API calls executed and their frequency. Verify the identity performing the calls and assess if this behavior is typical or anomalous. Correlate with other discovery activities and check related logs for suspicious patterns or subsequent actions.AWS Lambda discovery operation Informational Cloud
AWS Lambda discovery operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Enumerate functions, gather configuration and trigger details, and identify attached roles or permissions. Assess potential entry points, understand execution context, and plan privilege escalation or function tampering.Investigative actions: Verify if the identity is expected to access Lambda configuration or code metadata. Check if this API call was part of a broader enumeration pattern. Determine whether the activity aligns with typical deployment or monitoring behavior, or if it appears manual or anomalous. Investigate whether this was followed by any actions that could indicate lateral movement.AWS Lambda infrastructure enumeration activity Informational Cloud
Lambda infrastructure enumeration activity detected within a specific AWS region.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580)Required data: AWS Audit LogAttacker's goals: Discover deployed functions and their configurations. Assess IAM policies, event triggers, and execution limits to evaluate privilege levels and potential abuse paths. Enumerate metadata for potential weaknesses or sensitive data.Investigative actions: Identify and review the specific Lambda enumeration API calls executed and their frequency. Verify the identity performing the calls and assess if this behavior is typical or anomalous. Correlate with other discovery activities and check related logs for suspicious patterns or subsequent actions.AWS S3 Buckets enumeration activity Informational Cloud
Enumeration of S3 buckets, suggesting potential cloud storage reconnaissance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580)Required data: AWS Audit LogAttacker's goals: Discover available S3 buckets in the environment. Enumerate objects within buckets to determine the type and structure of stored data. Evaluate public access configurations of buckets to identify potential exposure or misconfigurations.Investigative actions: Identify the identity performing the calls and determine if this behavior aligns with their typical access patterns. Check access control policies and public access settings on the enumerated buckets for misconfigurations or unauthorized access attempts.AWS Security Service Enumeration Informational Cloud 1 variation
AWS security service enumeration activity, potentially indicating reconnaissance.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 15 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Software Discovery (T1518) Software Discovery: Security Software Discovery (T1518.001) Cloud Infrastructure Discovery (T1580)Required data: AWS Audit LogAttacker's goals: Reconnaissance of security defenses to assess and identify exploitable weaknesses.Investigative actions: Review which API calls were executed and their frequency. Analyze the identity performing the actions. Inspect configurations of enumerated services.Variations
AWS Multiple Security Services Enumeration
Informational overridden
AWS security service enumeration activity, potentially indicating reconnaissance. overridden
AWS Storage Gateway enumeration Informational Cloud
An AWS Storage Gateway was enumerated.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Enumerate the organizational structure to plan lateral movement.Investigative actions: Review recent activity related to the identity and the affected cloud environment. Check for other enumeration activity or attempts to access sensitive resources.AWS Storage Gateway file share enumeration Informational Cloud
AWS Storage Gateway file shares were enumerated.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit LogAttacker's goals: Enumerate the organizational structure to plan lateral movement.Investigative actions: Review recent activity related to the identity and the affected cloud environment. Check for other enumeration activity or attempts to access sensitive resources.AWS support case creation Informational Cloud
A cloud identity has created a new case in AWS support.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Privilege Escalation (TA0004)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Account Manipulation (T1098)Required data: AWS Audit LogAttacker's goals: Obtaining a list of resources that could be targeted for lateral movement or convincing AWS's support to perform actions on their behalf.Investigative actions: Investigate any unusual activity originating from the suspected identity. View the contents of the newly created case {case_id} .Cloud email infrastructure enumeration activity Informational Cloud
A cloud identity attempted to discover available email sending resources within the cloud environment.This may indicate an adversary attempting to map the organization's email sending environment and discover cloud resources that may assist to send phishing emails or spam.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit Log Azure Audit LogAttacker's goals: Map the cloud email environment and detect potential email resources to abuse.Investigative actions: Check the identity's role designation in the organization. Identify which available email resources were discovered. Investigate if the discovered email resources were used to send phishing emails or spam, or perform other attacks in the cloud environment.Cloud infrastructure enumeration activity Informational Cloud 1 variation
A cloud identity attempted to discover available resources within the cloud environment.This may indicate an adversary attempting to map the organization's cloud environment and discover cloud resources that may assist to perform additional attacks within the environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)Required data: AWS Audit Log Gcp Audit LogAttacker's goals: Map the cloud environment and detect potential resources to abuse.Investigative actions: Check the identity's role designation in the organization. Identify which available resources were discovered. Investigate if the discovered resources were used to extract sensitive information or perform other attacks in the cloud environment.Variations
Suspicious cloud infrastructure enumeration activity
Low overridden
A cloud identity attempted to discover available resources within the cloud environment.This may indicate an adversary attempting to map the organization's cloud environment and discover cloud resources that may assist to perform additional attacks within the environment. overridden
IAM instance profile associations were described Informational Cloud
AWS IAM instance profile associations were described.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- N/A (single event)
- Deduplication:
- 1 Day
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580)Required data: AWS Audit LogAttacker's goals: Discover infrastructure and resources that are available within a cloud environment.Investigative actions: Determine which instance profile associations were described. Investigate any suspicious activities related to the identity.Multi region enumeration activity Informational Cloud
An internal identity performed an operation on multiple regions, considerably more than usual.This may indicate an attacker's attempt to identify all available resources in the cloud environment.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 30 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007) Defense Evasion (TA0005)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Unused/Unsupported Cloud Regions (T1535) Cloud Service Discovery (T1526)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogAttacker's goals: Discover cloud resources that are available within the environment and leverage them to perform additional attacks against the organization. Detect unused geographic regions and leverage them to evade detection of malicious operations.Investigative actions: Check the identity designation. Verify that the identity did not perform any operation in a region that it shouldn't.Storage enumeration activity Informational Cloud
An identity attempted to discover cloud objects within storage buckets.This might be an attempt by an adversary to find sensitive data stored in cloud storage, which could lead to data theft.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 10 Minutes
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Storage Object Discovery (T1619) Cloud Infrastructure Discovery (T1580)Required data: AWS Audit Log Azure Audit Log Gcp Audit LogDetector tags: Cloud Data Asset Stealth Tactics, Data Detection & ResponseAttacker's goals: Access sensitive data stored in cloud infrastructure.Investigative actions: Check the identity's role designation in the organization. Identify which storage buckets were enumerated and whether they contained sensitive information.Unusual multi-region AWS Resource Explorer searches Informational Cloud
An identity performed unusual discovery activity in multiple regions using Resource Explorer's Search operation.
- Activation:
- 14 Days
- Training:
- 30 Days
- Test:
- 1 Hour
- Deduplication:
- 5 Days
ATT&CK tactics: Discovery (TA0007)ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Account Discovery: Cloud Account (T1087.004)Required data: AWS Audit LogAttacker's goals: Obtain a list of resources that could be targeted for lateral movement.Investigative actions: Investigate any unusual activity originating from the suspected identity.