Suspicious AWS SSM parameters retrieval activity

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2026-03-15

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	1 Hour
Deduplication Period	5 Days
Required Data	Requires: AWS Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Credential Access (TA0006) Collection (TA0009)
ATT&CK Technique	Unsecured Credentials (T1552) Data from Cloud Storage (T1530)
Severity	Informational

Description

An identity dumped multiple AWS SSM parameters from the project.
This may indicate an attacker's attempt to dump sensitive information from the cloud environment.

Attacker's Goals

Collect secrets from the cloud environment.

Investigative actions

Check the accessed parameters' designation.
Verify that the identity did not dump any sensitive information that it shouldn't.

Variations

A non admin identity extracted multiple secrets within the organization across multiple regions

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Low

Description

An identity dumped multiple AWS SSM parameters from the project.
This may indicate an attacker's attempt to dump sensitive information from the cloud environment.

Attacker's Goals

Collect secrets from the cloud environment.

Investigative actions

Check the accessed parameters' designation.
Verify that the identity did not dump any sensitive information that it shouldn't.