Disable encryption operations

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • AWS Audit Log

Detection Modules

Cloud

Detector Tags

ATT&CK Tactic

Impact (TA0040)

ATT&CK Technique

Data Manipulation (T1565)

Severity

Low

Description

Encryption was disabled on the servers that host EC2 instances, both for data-at-rest and data-in-transit.

Attacker's Goals

Decrypt sensitive data host on EC2 instance, this may be a step in a flow for data exfiltration.

Investigative actions

  • Check if Identity intended to disable the encryption.