Unusual cross projects activity

Cortex XDR Analytics Alert Reference by Alert name

Product

Cortex XDR

Last date published

2025-04-07

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	5 Days
Required Data	Requires one of the following data sources: AWS Audit Log OR Azure Audit Log OR Gcp Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Initial Access (TA0001)
ATT&CK Technique	Trusted Relationship (T1199)
Severity	Low

A suspicious activity between different cloud projects.

Abuse an existing connection and pivot through multiple projects to find their target.

Check if the identity intended to perform actions on the project.
Check the operations that were performed on the project {caller_project}.
Check if the identity performed additional operations in the cloud environment that might be malicious.

A suspicious activity between different cloud projects.

Abuse an existing connection and pivot through multiple projects to find their target.

Check if the identity intended to perform actions on the project.
Check the operations that were performed on the project {caller_project}.
Check if the identity performed additional operations in the cloud environment that might be malicious.

A suspicious activity between different cloud projects.

Abuse an existing connection and pivot through multiple projects to find their target.

Check if the identity intended to perform actions on the project.
Check the operations that were performed on the project {caller_project}.
Check if the identity performed additional operations in the cloud environment that might be malicious.