EBS volume detachment attempt

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2025-12-08
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires:
    • AWS Audit Log

Detection Modules

Cloud

Detector Tags

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Modify Cloud Compute Infrastructure (T1578)

Severity

Informational

Description

An attempt was made to detach an AWS EBS volume from an EC2 instance.

Attacker's Goals

Exfiltrate sensitive data stored on the detached volume.

Investigative actions

  • Review recent activity related to the identity and the detached volume.

Variations

EBS volume detachment attempt using Cloud Formation or Terraform

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Modify Cloud Compute Infrastructure (T1578)

Severity

Informational

Description

An attempt was made to detach an AWS EBS volume from an EC2 instance.

Attacker's Goals

Exfiltrate sensitive data stored on the detached volume.

Investigative actions

  • Review recent activity related to the identity and the detached volume.