Cloud unusual access key creation

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-18
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires one of the following data sources:
    • AWS Audit Log
      OR
    • Gcp Audit Log

Detection Modules

Cloud

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: Additional Cloud Credentials (T1098.001)

Severity

Informational

Description

Cloud suspicious access key creation by a cloud identity.

Attacker's Goals

Persist in the environment.

Investigative actions

  • investigate the identity who created the access token.
  • Check the access token activity in the organization.

Variations

Cloud successful access key creation by an unusual identity

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: Additional Cloud Credentials (T1098.001)

Severity

Low

Description

Cloud suspicious access key creation by a cloud identity.

Attacker's Goals

Persist in the environment.

Investigative actions

  • investigate the identity who created the access token.
  • Check the access token activity in the organization.


Cloud unusual successful access key creation

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Account Manipulation: Additional Cloud Credentials (T1098.001)

Severity

Low

Description

Cloud suspicious access key creation by a cloud identity.

Attacker's Goals

Persist in the environment.

Investigative actions

  • investigate the identity who created the access token.
  • Check the access token activity in the organization.