Suspicious EBS snapshots deletion

Cortex XDR Analytics Alert Reference by data source
Product
Cortex XDR
Last date published
2026-05-18
Category
Analytics Alert Reference
Index by
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

5 Days

Required Data

  • Requires:
    • AWS Audit Log

Detection Modules

Cloud

Detector Tags

ATT&CK Tactic

Impact (TA0040)

ATT&CK Technique

Inhibit System Recovery (T1490)

Severity

Low

Description

An identity deleted multiple EBS snapshots from the project, considerably more than usual.

Attacker's Goals

Adversaries may delete data to prevent the recovery of a corrupted system.

Investigative actions

  • Identify the deleted snapshots and their associated resources.
  • Investigate the identity that performed the deletion and review recent related activity.

Variations

A non administrative identity successfully deleted multiple snapshots from a project

Synopsis

ATT&CK Tactic

Impact (TA0040)

ATT&CK Technique

Inhibit System Recovery (T1490)

Severity

Medium

Description

An identity deleted multiple EBS snapshots from the project, considerably more than usual.

Attacker's Goals

Adversaries may delete data to prevent the recovery of a corrupted system.

Investigative actions

  • Identify the deleted snapshots and their associated resources.
  • Investigate the identity that performed the deletion and review recent related activity.