Multiple cloud snapshots export

Cortex XDR Analytics Alert Reference by Alert name

Product
Cortex XDR
Last date published
2024-06-04
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

2 Hours

Deduplication Period

5 Days

Required Data

  • Requires one of the following data sources:
    • AWS Audit Log
      OR
    • Azure Audit Log
      OR
    • Gcp Audit Log

Detection Modules

Cloud

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Transfer Data to Cloud Account (T1537)

Severity

Informational

Description

A cloud identity has downloaded multiple virtual machines or DB snapshots locally.

Attacker's Goals

Exfiltrate sensitive data that resides on the disk.

Investigative actions

  • Check if the identity intended to export the virtual machines or DB snapshots.
  • Check if the identity performed additional operations in the cloud environment that might be malicious.

Variations

Multiple cloud snapshots export

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Transfer Data to Cloud Account (T1537)

Severity

High

Description

A cloud identity has downloaded multiple virtual machines or DB snapshots from an external IP address.
This action was unusual based on the cloud project history.

Attacker's Goals

Exfiltrate sensitive data that resides on the disk.

Investigative actions

  • Check if the identity intended to export the virtual machines or DB snapshots.
  • Check if the identity performed additional operations in the cloud environment that might be malicious.


Multiple cloud snapshots export

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Transfer Data to Cloud Account (T1537)

Severity

Medium

Description

A cloud identity has downloaded multiple virtual machines or DB snapshots from an external IP address.
This action was unusual based on the cloud identity history.

Attacker's Goals

Exfiltrate sensitive data that resides on the disk.

Investigative actions

  • Check if the identity intended to export the virtual machines or DB snapshots.
  • Check if the identity performed additional operations in the cloud environment that might be malicious.


Multiple cloud snapshots export

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Transfer Data to Cloud Account (T1537)

Severity

Low

Description

A cloud identity has downloaded multiple virtual machines or DB snapshots locally.
This action was unusual based on the unsuccessful attempts rate.

Attacker's Goals

Exfiltrate sensitive data that resides on the disk.

Investigative actions

  • Check if the identity intended to export the virtual machines or DB snapshots.
  • Check if the identity performed additional operations in the cloud environment that might be malicious.


Multiple cloud snapshots export

Synopsis

ATT&CK Tactic

Exfiltration (TA0010)

ATT&CK Technique

Transfer Data to Cloud Account (T1537)

Severity

Low

Description

A cloud identity has downloaded multiple virtual machines or DB snapshots locally.
This action was unusual based on the cloud project or identity history.

Attacker's Goals

Exfiltrate sensitive data that resides on the disk.

Investigative actions

  • Check if the identity intended to export the virtual machines or DB snapshots.
  • Check if the identity performed additional operations in the cloud environment that might be malicious.