Activity in a dormant region of a cloud project

Cortex XDR Analytics Alert Reference by data source
Last date published
2024-04-15
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires one of the following data sources:
    • AWS Audit Log
      OR
    • Azure Audit Log
      OR
    • Gcp Audit Log

Detection Modules

Cloud

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Unused/Unsupported Cloud Regions (T1535)

Severity

Informational

Description

A cloud project had unusual activity in a previously dormant region.

Attacker's Goals

Abuse services in unused geographic regions to evade detection.
Attackers can take advantage of unmonitored regions to avoid detection of their activities. These activities may include various malicious activities, including attacks against internal cloud resources, lateral movement within the environment, mining cryptocurrency through resource hijacking, and more.

Investigative actions

  • Check if the detected region is required.
  • Delete any resource that was created in the unused region.
  • Disable all unused regions.

Variations

A cloud compute instance was created in a dormant region

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Unused/Unsupported Cloud Regions (T1535)

Severity

Medium

Description

A cloud project had unusual activity in a previously dormant region.

Attacker's Goals

Abuse services in unused geographic regions to evade detection.
Attackers can take advantage of unmonitored regions to avoid detection of their activities. These activities may include various malicious activities, including attacks against internal cloud resources, lateral movement within the environment, mining cryptocurrency through resource hijacking, and more.

Investigative actions

  • Check if the detected region is required.
  • Delete any resource that was created in the unused region.
  • Disable all unused regions.