Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
5 Days |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A cloud identity performed an unusual IAM operation.
Attacker's Goals
Manipulate IAM configuration to strengthen the foothold in the cloud environment of the organization, by creating new accounts, modifying credentials, and permissions.
Using the modified accounts, the attacker may perform additional activities in an evasive manner.
Investigative actions
- Check the identity's role designation in the organization.
- Verify that the identity did not perform any sensitive IAM operation that it shouldn't.
Variations
Unusual Identity and Access Management (IAM) activity executed from a cloud Internet facing instanceUnusual Identity and Access Management (IAM) activity