Analytics Alerts

Browse the Cortex analytics alert reference.

Severity
Detection module
Data source

4 alerts match the current filters. technique: T1648 ✕

Show ATT&CK heatmap
  • A cloud function was created with an unusual runtime Low Cloud 3 variations

    A cloud function was created with an unusual runtime.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Serverless Execution (T1648)
    Required data: AWS Audit Log Gcp Audit Log
    Attacker's goals: Execute arbitrary code in cloud environments.
    Investigative actions: Examine the cloud function's code implementation and look for any unusual invocations. Check for any unusual activities within the same project.

    Variations

    A cloud function was created with an unusual runtime by a known cloud identity

    Informational overridden

    A cloud function was created with an unusual runtime. overridden

    A cloud function was created with a runtime that was not seen in the organization

    Low overridden

    A cloud function was created with an unusual runtime. overridden

    A cloud function was created with a custom runtime

    Medium overridden

    A cloud function was created with an unusual runtime. overridden

  • An AWS Lambda Function was created Informational Cloud

    An AWS Lambda Function was created.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002) Persistence (TA0003)
    ATT&CK techniques: Serverless Execution (T1648) Scheduled Task/Job: Scheduled Task (T1053.005)
    Required data: AWS Audit Log
    Attacker's goals: Execute malicious code on AWS using Lambda functions. Maintain persistence on AWS Lambda by creating or invoking Lambda functions.
    Investigative actions: Identify the Lambda function that was created and analyze its code for any malicious activity.
  • An AWS Lambda function was modified Informational Cloud

    An AWS Lambda function was modified.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    5 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Serverless Execution (T1648)
    Required data: AWS Audit Log
    Attacker's goals: Modification of Lambda functions may provide attackers access to run code against cloud environments.
    Investigative actions: Check what modifications were made to the AWS Lambda function.
  • Penetration testing tool activity attempt Informational Identity Analytics 1 variation

    A SaaS API was invoked by a penetration testing tool.

    Activation:
    14 Days
    Training:
    30 Days
    Test:
    N/A (single event)
    Deduplication:
    2 Days
    ATT&CK tactics: Execution (TA0002)
    ATT&CK techniques: Serverless Execution (T1648)
    Required data: Office 365 Audit
    Attacker's goals: Usage of known tools and frameworks.
    Investigative actions: Check if there is an active PT test ongoing.

    Variations

    Penetration testing tool activity attempt

    Medium overridden

    A SaaS API was successfully invoked by a penetration testing tool. overridden