Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
2 Hours |
Deduplication Period |
5 Days |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A cloud identity has downloaded multiple virtual machines or DB snapshots locally.
Attacker's Goals
Exfiltrate sensitive data that resides on the disk.
Investigative actions
- Check if the identity intended to export the virtual machines or DB snapshots.
- Check if the identity performed additional operations in the cloud environment that might be malicious.
Variations
Multiple cloud snapshots exportMultiple cloud snapshots export
Multiple cloud snapshots export
Multiple cloud snapshots export