Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
5 Days |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A cloud resource was modified/created by a newly seen user. The API call is unusual as it is normally executed by administrators or not popular within the organization.
Attacker's Goals
Evading detections, maintaining persistence and access to sensitive data.
Investigative actions
- Check which resources were manipulated and their severity.
- Check for abnormal activity by the executing identity before and after the manipulation.
Variations
Unusual resource modification/creation by an identity with high administrative activityUnusual resource modification/creation by newly seen user