Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

4 alerts match the current filters. technique: T1619 ✕

Show ATT&CK heatmap
  • AWS EBS discovery operation Informational Cloud

    AWS EBS discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Infrastructure Discovery (T1580) Cloud Storage Object Discovery (T1619)
    Required data: AWS Audit Log
    Attacker's goals: Locate valuable data, understand storage configurations, and identify snapshots that can be copied or shared. Support data exfiltration, lateral movement, or persistence through volume or snapshot manipulation.
    Investigative actions: Verify if the identity typically queries EBS volumes or snapshots in this environment. Check whether this activity is part of expected workflows (e.g., backup validation, provisioning) or appears anomalous. Review surrounding activity for other discovery calls to assess broader enumeration behavior. Examine whether the activity was followed by potential exfiltration steps, such as copying a snapshot cross-region or sharing it externally.
  • AWS S3 discovery operation Informational Cloud

    AWS S3 discovery operation.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Storage Object Discovery (T1619)
    Required data: AWS Audit Log
    Attacker's goals: Identify accessible buckets, enumerate their contents, and assess permissions or public exposure. Locate sensitive data, evaluate exfiltration paths, and plan privilege escalation or misconfiguration abuse.
    Investigative actions: Verify if the identity normally interacts with S3 in this environment. Check whether the activity was part of a legitimate application or automated process or if it appears interactive or out-of-pattern. Look for signs of broad enumeration, such as listing multiple buckets or traversing objects across different buckets. Investigate whether the accessed bucket or objects contain sensitive data or are configured for public or cross-account access. Correlate with other actions to determine if data was accessed, exfiltrated, or altered.
  • Cloud storage object discovery Informational Cloud

    Cloud storage object discovery.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    1 Day
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Storage Object Discovery (T1619)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Attacker's goals: Identify sensitive data, valuable files, configuration details or other information that can be leveraged for further attacks.
    Investigative actions: Review the identity's permissions and historical access to the storage resource. Analyze the identity's immediate post-listing actions on the storage resource. Correlate this event with other discovery activity or suspicious logins by the identity.
  • Storage enumeration activity Informational Cloud

    An identity attempted to discover cloud objects within storage buckets.This might be an attempt by an adversary to find sensitive data stored in cloud storage, which could lead to data theft.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    10 Minutes
    Deduplication:
    5 Days
    ATT&CK tactics: Discovery (TA0007)
    ATT&CK techniques: Cloud Storage Object Discovery (T1619) Cloud Infrastructure Discovery (T1580)
    Required data: AWS Audit Log Azure Audit Log Gcp Audit Log
    Detector tags: Cloud Data Asset Stealth Tactics, Data Detection & Response
    Attacker's goals: Access sensitive data stored in cloud infrastructure.
    Investigative actions: Check the identity's role designation in the organization. Identify which storage buckets were enumerated and whether they contained sensitive information.