Unusual key management activity

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-11-18
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • AWS Audit Log
      OR
    • Azure Audit Log
      OR
    • Gcp Audit Log

Detection Modules

Cloud

Detector Tags

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials (T1552)

Severity

Informational

Description

A cloud Identity performed a key management operation for the first time.

Attacker's Goals

Abuse exposed cryptographic keys to decrypt sensitive information or create digital signatures to craft malicious messages.
Using the decrypted information, the attacker may perform additional activities in an evasive manner.

Investigative actions

  • Check the identity's role designation in the organization.
  • Verify that the identity did not perform any sensitive KMS operation that it shouldn't.