A cloud storage object was copied to a foreign cloud account

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2025-06-18

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: AWS Audit Log OR Azure Audit Log
Detection Modules	Cloud
Detector Tags	Cloud Data Asset Exfiltration, Cloud Data Asset Configuration
ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Transfer Data to Cloud Account (T1537)
Severity	Medium

Description

A cloud storage object was copied or moved to a foreign cloud storage account.
The destination account was either not monitored or not seen in your tenant for the last 30 days.

Attacker's Goals

Exfiltrate data to a foreign account.

Investigative actions

Check the legitimacy of the copy operation.
Review further actions performed by the identity.

Variations

A cloud storage object was copied to a foreign cloud account from a production account

Synopsis

ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Transfer Data to Cloud Account (T1537)
Severity	Medium

Description

A cloud storage object was copied or moved to a foreign cloud storage account from a production account.
The destination account was either not monitored or not seen in your tenant for the last 30 days.

Attacker's Goals

Exfiltrate data to a foreign account.

Investigative actions

Check the legitimacy of the copy operation.
Review further actions performed by the identity.