Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
1 Hour |
Deduplication Period |
5 Days |
Required Data |
- Requires one of the following data sources:
- AWS Audit Log
OR - Azure Audit Log
OR - Gcp Audit Log
|
Detection Modules |
Cloud |
Detector Tags |
|
ATT&CK Tactic |
Initial Access (TA0001) |
ATT&CK Technique |
Valid Accounts: Cloud Accounts (T1078.004) |
Severity |
Informational |
Description
An identity performed actions from multiple countries in a short period of time, which is most unlikely.
This may indicate the identity is compromised.
Attacker's Goals
Obtain and abuse credentials of cloud accounts.
Investigative actions
Check whether the credentials of the identity have been compromised.
Variations
Impossible travel by a cloud compute function identity
Synopsis
Description
An identity performed actions from multiple countries in a short period of time, which is most unlikely.
This may indicate the identity is compromised.
Attacker's Goals
Obtain and abuse credentials of cloud accounts.
Investigative actions
Check whether the credentials of the identity have been compromised.
Impossible travel by a suspicious cloud identity
Synopsis
Description
An identity performed actions from multiple countries in a short period of time, which is most unlikely.
This may indicate the identity is compromised.
Attacker's Goals
Obtain and abuse credentials of cloud accounts.
Investigative actions
Check whether the credentials of the identity have been compromised.
Impossible travel by a cloud compute identity
Synopsis
Description
An identity performed actions from multiple countries in a short period of time, which is most unlikely.
This may indicate the identity is compromised.
Attacker's Goals
Obtain and abuse credentials of cloud accounts.
Investigative actions
Check whether the credentials of the identity have been compromised.
Impossible travel by an unusual cloud identity
Synopsis
Description
An identity performed actions from multiple countries in a short period of time, which is most unlikely.
This may indicate the identity is compromised.
Attacker's Goals
Obtain and abuse credentials of cloud accounts.
Investigative actions
Check whether the credentials of the identity have been compromised.