Unusual Identity and Access Management (IAM) activity

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires one of the following data sources:
    • AWS Audit Log
      OR
    • Gcp Audit Log

Detection Modules

Cloud

Detector Tags

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Severity

Informational

Description

A cloud identity performed an unusual IAM operation.

Attacker's Goals

Manipulate IAM configuration to strengthen the foothold in the cloud environment of the organization, by creating new accounts, modifying credentials, and permissions.
Using the modified accounts, the attacker may perform additional activities in an evasive manner.

Investigative actions

  • Check the identity's role designation in the organization.
  • Verify that the identity did not perform any sensitive IAM operation that it shouldn't.

Variations

Unusual Identity and Access Management (IAM) activity executed from a cloud Internet facing instance

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Severity

Medium

Description

A cloud Internet facing instance performed an unusual IAM operation.

Attacker's Goals

Manipulate IAM configuration to strengthen the foothold in the cloud environment of the organization, by creating new accounts, modifying credentials, and permissions.
Using the modified accounts, the attacker may perform additional activities in an evasive manner.

Investigative actions

  • Check the identity's role designation in the organization.
  • Verify that the identity did not perform any sensitive IAM operation that it shouldn't.


Unusual Identity and Access Management (IAM) activity

Synopsis

ATT&CK Tactic

Persistence (TA0003)

ATT&CK Technique

Severity

Low

Description

A cloud non-user identity performed an unusual IAM operation.

Attacker's Goals

Manipulate IAM configuration to strengthen the foothold in the cloud environment of the organization, by creating new accounts, modifying credentials, and permissions.
Using the modified accounts, the attacker may perform additional activities in an evasive manner.

Investigative actions

  • Check the identity's role designation in the organization.
  • Verify that the identity did not perform any sensitive IAM operation that it shouldn't.