Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
1 Hour |
Deduplication Period |
5 Days |
Required Data |
- Requires one of the following data sources:
- AWS Audit Log
OR - Azure Audit Log
OR - Gcp Audit Log
|
Detection Modules |
Cloud |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An identity downloaded multiple objects from cloud storage.
This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.
Attacker's Goals
Exfiltrate sensitive data from the cloud environment.
Investigative actions
- Check the accessed bucket and objects designation.
- Verify that the identity did not download any sensitive information that it shouldn't.
Variations
An identity performed a suspicious download of multiple cloud storage objects from an internal IP
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An identity downloaded multiple objects from cloud storage.
This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.
Attacker's Goals
Exfiltrate sensitive data from the cloud environment.
Investigative actions
- Check the accessed bucket and objects designation.
- Verify that the identity did not download any sensitive information that it shouldn't.
An identity performed a suspicious download of multiple cloud storage objects
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
High |
Description
An identity downloaded multiple objects from cloud storage.
This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.
This large volume of downloaded cloud storage objects had not been seen across all projects for the last 30 days.
Attacker's Goals
Exfiltrate sensitive data from the cloud environment.
Investigative actions
- Check the accessed bucket and objects designation.
- Verify that the identity did not download any sensitive information that it shouldn't.
An identity performed a suspicious download of multiple cloud storage objects
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
An identity downloaded multiple objects from cloud storage.
This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.
This large volume of downloaded cloud storage objects had not been seen in this project for the last 30 days.
Attacker's Goals
Exfiltrate sensitive data from the cloud environment.
Investigative actions
- Check the accessed bucket and objects designation.
- Verify that the identity did not download any sensitive information that it shouldn't.
An identity performed a suspicious download of multiple cloud storage objects from multiple buckets
Synopsis
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Medium |
Description
An identity downloaded multiple objects from cloud storage.
This may indicate an attacker's attempt to download sensitive data from a bucket in the cloud environment.
This large volume of downloaded cloud storage objects from several buckets had not been seen for the last 30 days.
Attacker's Goals
Exfiltrate sensitive data from the cloud environment.
Investigative actions
- Check the accessed bucket and objects designation.
- Verify that the identity did not download any sensitive information that it shouldn't.