An S3 replication policy to an unknown bucket was created

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-01-14
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • AWS Audit Log

Detection Modules

Cloud

Detector Tags

Cloud Data Asset Exfiltration, Cloud Data Asset Configuration, Data Detection & Response

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Transfer Data to Cloud Account (T1537)

Severity

Low

Description

An S3 replication policy was added to an S3 bucket.
The referenced destination bucket was not seen in your tenant in the last 30 days.

Attacker's Goals

Exfiltrate data to an unknown bucket.

Investigative actions

  • Check the legitimacy of the referenced destination bucket.
  • Review further logs for the source bucket.
  • Review further actions performed by the identity.

Variations

Unusual S3 replication policy to an unknown bucket was created

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Transfer Data to Cloud Account (T1537)

Severity

Low

Description

An S3 replication policy was added to an S3 bucket.
The referenced destination bucket was not seen in your tenant in the last 30 days.
The operation was not performed in your organization in the last 30 days.

Attacker's Goals

Exfiltrate data to an unknown bucket.

Investigative actions

  • Check the legitimacy of the referenced destination bucket.
  • Review further logs for the source bucket.
  • Review further actions performed by the identity.


An S3 replication policy to an unknown bucket was created by an admin identity

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Transfer Data to Cloud Account (T1537)

Severity

Informational

Description

An S3 replication policy was added to an S3 bucket.
The referenced destination bucket was not seen in your tenant in the last 30 days.
The identity has an administrative behavior.

Attacker's Goals

Exfiltrate data to an unknown bucket.

Investigative actions

  • Check the legitimacy of the referenced destination bucket.
  • Review further logs for the source bucket.
  • Review further actions performed by the identity.


An S3 replication policy to an unknown bucket was created - denied attempt

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Transfer Data to Cloud Account (T1537)

Severity

Low

Description

A denied attempt to create an S3 replication policy to an unknown bucket.

Attacker's Goals

Exfiltrate data to an unknown bucket.

Investigative actions

  • Check the legitimacy of the referenced destination bucket.
  • Review further logs for the source bucket.
  • Review further actions performed by the identity.