SES Production Access Requested

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-02-02

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: AWS Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Resource Development (TA0042)
ATT&CK Technique	Compromise Accounts: Email Accounts (T1586.002)
Severity	Informational

Description

An identity requested to move the SES account from a restricted sandbox mode into production mode.

Attacker's Goals

Use the existing account to send phishing or spread malware at scale.

Investigative actions

Check if the identity has performed any email-related operations in the past.
Check if this account should be used for email sending.

Variations

SES Production Access Requested by an unusual identity

Synopsis

ATT&CK Tactic	Resource Development (TA0042)
ATT&CK Technique	Compromise Accounts: Email Accounts (T1586.002)
Severity	Low

Description

An identity requested to move the SES account from a restricted sandbox mode into production mode.
The identity was not seen performing any operations in SES in the last 30 days.

Attacker's Goals

Use the existing account to send phishing or spread malware at scale.

Investigative actions

Check if the identity has performed any email-related operations in the past.
Check if this account should be used for email sending.