An identity accessed cloud storage containing sensitive data

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-02-02

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: AWS Audit Log OR Azure Audit Log OR Gcp Audit Log
Detection Modules	Cloud
Detector Tags	Cloud Data Asset Exfiltration
ATT&CK Tactic	Collection (TA0009) Exfiltration (TA0010)
ATT&CK Technique	Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
Severity	Informational

An identity accessed cloud storage containing sensitive data.

Exfiltrate data from the cloud environment.

Check the identity which invoked the operation.
Check the accessed resource and verify it doesn't contain sensitive data.