Retrieval of cloud compute EC2 instance user data

Cortex XDR Analytics Alert Reference by Alert name
Product
Cortex XDR
Last date published
2026-03-10
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • AWS Audit Log

Detection Modules

Cloud

Detector Tags

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Automated Collection (T1119)

Severity

Informational

Description

A cloud compute instance user data was retrieved, which may contain startup scripts, configuration parameters, or sensitive information associated with the instance.

Attacker's Goals

Access sensitive instance metadata or startup scripts.

Investigative actions

  • Verify whether this action is expected.
  • Inspect the user data script for sensitive data.

Variations

Unusual Retrieval of cloud compute instance user data

Synopsis

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Automated Collection (T1119)

Severity

Low

Description

A cloud compute instance user data was retrieved, which may contain startup scripts, configuration parameters, or sensitive information associated with the instance.

Attacker's Goals

Access sensitive instance metadata or startup scripts.

Investigative actions

  • Verify whether this action is expected.
  • Inspect the user data script for sensitive data.