A compute-attached identity executed API calls outside the instance's region

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires:
    • AWS Audit Log

Detection Modules

Cloud

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

A compute-attached identity performed actions outside the compute instance region.

Attacker's Goals

Exfiltrate token and abuse it remotely.

Investigative actions

  • Verify whether the compute-attached identity's credentials were intentionally used remotely.
  • Check what API calls were executed using instance's attached role.
  • Check if the suspected instance is compromised.

Variations

A compute-attached identity executed API calls outside the Lambda function's region

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

A compute-attached identity performed actions outside the Lambda function region.

Attacker's Goals

Exfiltrate token and abuse it remotely.

Investigative actions

  • Verify whether the compute-attached identity's credentials were intentionally used remotely.
  • Check what API calls were executed using instance's attached role.
  • Check if the suspected instance is compromised.


A compute-attached identity executed API calls outside the instance's region from an unusual geolocation and ASN

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

High

Description

A compute-attached identity performed actions outside the compute instance region.

Attacker's Goals

Exfiltrate token and abuse it remotely.

Investigative actions

  • Verify whether the compute-attached identity's credentials were intentionally used remotely.
  • Check what API calls were executed using instance's attached role.
  • Check if the suspected instance is compromised.


A compute-attached identity executed API calls outside the instance's region from an unusual geolocation

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

A compute-attached identity performed actions outside the compute instance region.

Attacker's Goals

Exfiltrate token and abuse it remotely.

Investigative actions

  • Verify whether the compute-attached identity's credentials were intentionally used remotely.
  • Check what API calls were executed using instance's attached role.
  • Check if the suspected instance is compromised.


A compute-attached identity executed API calls outside the instance's region from an unusual ASN

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A compute-attached identity performed actions outside the compute instance region.

Attacker's Goals

Exfiltrate token and abuse it remotely.

Investigative actions

  • Verify whether the compute-attached identity's credentials were intentionally used remotely.
  • Check what API calls were executed using instance's attached role.
  • Check if the suspected instance is compromised.


A compute-attached identity failed to execute API calls outside the instance's region

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A compute-attached identity performed actions outside the compute instance region.

Attacker's Goals

Exfiltrate token and abuse it remotely.

Investigative actions

  • Verify whether the compute-attached identity's credentials were intentionally used remotely.
  • Check what API calls were executed using instance's attached role.
  • Check if the suspected instance is compromised.


A compute-attached identity executed API calls outside the instance's region

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

A compute-attached identity performed actions outside the compute instance region.

Attacker's Goals

Exfiltrate token and abuse it remotely.

Investigative actions

  • Verify whether the compute-attached identity's credentials were intentionally used remotely.
  • Check what API calls were executed using instance's attached role.
  • Check if the suspected instance is compromised.