An identity initiated a download of multiple cloud objects

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-01-14

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	1 Hour
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: AWS Audit Log OR Azure Audit Log OR Gcp Audit Log
Detection Modules	Cloud
Detector Tags	Cloud Data Asset Exfiltration
ATT&CK Tactic	Collection (TA0009) Exfiltration (TA0010)
ATT&CK Technique	Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
Severity	Informational

Description

An identity initiated a download of multiple cloud objects.
This might be an indication for an adversary trying to exfiltrate data from cloud storage.

Attacker's Goals

Exfiltrate data from the cloud environment.

Investigative actions

Check the identity which invoked the operations.
Check the accessed resource and verify it doesn't contain sensitive data.

Variations

An identity initiated a download of multiple cloud objects in large volume compared to the project's usual volume

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

An identity initiated a download of multiple cloud objects.
This might be an indication for an adversary trying to exfiltrate data from cloud storage.
This large volume of downloaded cloud storage operations has not been in this project for the last 30 days.

Attacker's Goals

Exfiltrate data from the cloud environment.

Investigative actions

Check the identity which invoked the operations.
Check the accessed resource and verify it doesn't contain sensitive data.

An identity initiated a download of multiple cloud objects in large volume compared to the bucket's usual volume

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

Attacker's Goals

Exfiltrate data from the cloud environment.

Investigative actions

Check the identity which invoked the operations.
Check the accessed resource and verify it doesn't contain sensitive data.