A cloud identity performed multiple unusual activities

Cortex XSIAM Analytics Alert Reference by Alert name

Product
Cortex XSIAM
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

1 Hour

Deduplication Period

1 Day

Required Data

  • Requires:

Detection Modules

Cloud

Detector Tags

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

User Execution (T1204)

Severity

Medium

Description

A cloud identity performed multiple unusual activities across various cloud services.

Attacker's Goals

Adversaries may manipulate accounts to pivot to their next point in the environment, and eventually to access or manipulate data.

Investigative actions

  • Check if the identity intended to preform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).

Variations

A cloud identity performed multiple suspicious activities

Synopsis

ATT&CK Tactic

Execution (TA0002)

ATT&CK Technique

User Execution (T1204)

Severity

Low

Description

A cloud identity performed multiple unusual activities across various cloud services.

Attacker's Goals

Adversaries may manipulate accounts to pivot to their next point in the environment, and eventually to access or manipulate data.

Investigative actions

  • Check if the identity intended to preform this action, or look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).