Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
2 Hours |
Deduplication Period |
5 Days |
Required Data |
- Requires one of the following data sources:
- AWS Audit Log
OR - Azure Audit Log
OR - Gcp Audit Log
|
Detection Modules |
Cloud |
Detector Tags |
|
ATT&CK Tactic |
Exfiltration (TA0010) |
ATT&CK Technique |
Transfer Data to Cloud Account (T1537) |
Severity |
Informational |
Description
A cloud identity has downloaded multiple virtual machines or DB snapshots locally.
Attacker's Goals
Exfiltrate sensitive data that resides on the disk.
Investigative actions
- Check if the identity intended to export the virtual machines or DB snapshots.
- Check if the identity performed additional operations in the cloud environment that might be malicious.
Variations
Multiple cloud snapshots export
Synopsis
Description
A cloud identity has downloaded multiple virtual machines or DB snapshots from an external IP address.
This action was unusual based on the cloud project history.
Attacker's Goals
Exfiltrate sensitive data that resides on the disk.
Investigative actions
- Check if the identity intended to export the virtual machines or DB snapshots.
- Check if the identity performed additional operations in the cloud environment that might be malicious.
Multiple cloud snapshots export
Synopsis
Description
A cloud identity has downloaded multiple virtual machines or DB snapshots from an external IP address.
This action was unusual based on the cloud identity history.
Attacker's Goals
Exfiltrate sensitive data that resides on the disk.
Investigative actions
- Check if the identity intended to export the virtual machines or DB snapshots.
- Check if the identity performed additional operations in the cloud environment that might be malicious.
Multiple cloud snapshots export
Synopsis
Description
A cloud identity has downloaded multiple virtual machines or DB snapshots locally.
This action was unusual based on the unsuccessful attempts rate.
Attacker's Goals
Exfiltrate sensitive data that resides on the disk.
Investigative actions
- Check if the identity intended to export the virtual machines or DB snapshots.
- Check if the identity performed additional operations in the cloud environment that might be malicious.
Multiple cloud snapshots export
Synopsis
Description
A cloud identity has downloaded multiple virtual machines or DB snapshots locally.
This action was unusual based on the cloud project or identity history.
Attacker's Goals
Exfiltrate sensitive data that resides on the disk.
Investigative actions
- Check if the identity intended to export the virtual machines or DB snapshots.
- Check if the identity performed additional operations in the cloud environment that might be malicious.