Cloud penetration testing tool activity

Cortex XDR Analytics Alert Reference by data source
Product
Cortex XDR
Last date published
2026-05-18
Category
Analytics Alert Reference
Index by
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

7 Days

Required Data

  • Requires one of the following data sources:
    • AWS Audit Log
      OR
    • Azure Audit Log
      OR
    • Gcp Audit Log
      OR
    • Microsoft Graph Logs

Detection Modules

Cloud

Detector Tags

Microsoft Graph Activity Logs

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

User Execution (T1204)

Severity

High

Description

A cloud API was successfully executed using a known cloud penetration testing tool.

Attacker's Goals

Leverage known attack tools to enumerate resources, identify vulnerabilities, or exploit cloud configurations.

Investigative actions

  • Confirm if authorized penetration testing activity is currently scheduled.
  • Review the API operations performed by the identity to determine the intent and scope of the activity.

Variations

Cloud penetration testing tool usage attempt

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

User Execution (T1204)

Severity

Informational

Description

A failed cloud API was executed using a known cloud penetration testing tool.

Attacker's Goals

Leverage known attack tools to enumerate resources, identify vulnerabilities, or exploit cloud configurations.

Investigative actions

  • Confirm if authorized penetration testing activity is currently scheduled.
  • Review the API operations performed by the identity to determine the intent and scope of the activity.


Cloud security assessment tool activity

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

User Execution (T1204)

Severity

Low

Description

A cloud API was successfully executed using a known cloud security assessment tool.

Attacker's Goals

Leverage known attack tools to enumerate resources, identify vulnerabilities, or exploit cloud configurations.

Investigative actions

  • Confirm if authorized penetration testing activity is currently scheduled.
  • Review the API operations performed by the identity to determine the intent and scope of the activity.


Cloud penetration testing tool activity by Azure application

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

User Execution (T1204)

Severity

Informational

Description

A cloud API was successfully executed using a known cloud penetration testing tool by an Azure application.

Attacker's Goals

Leverage known attack tools to enumerate resources, identify vulnerabilities, or exploit cloud configurations.

Investigative actions

  • Confirm if authorized penetration testing activity is currently scheduled.
  • Review the API operations performed by the identity to determine the intent and scope of the activity.