A cloud snapshot of AWS database or storage was modified or shared

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-06-24

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: AWS Audit Log
Detection Modules	Cloud
Detector Tags	Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration
ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Transfer Data to Cloud Account (T1537)
Severity	Informational

A cloud identity has shared a snapshot of an AWS database or storage instance.

Exfiltrate sensitive data that resides on the snapshot.

Check if the identity intended to modify the snapshot.
Check if the identity performed additional malicious operations within the cloud environment.

ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Transfer Data to Cloud Account (T1537)
Severity	Low

A cloud identity has shared a snapshot of an AWS database or storage instance.

Exfiltrate sensitive data that resides on the snapshot.

Check if the identity intended to modify the snapshot.
Check if the identity performed additional malicious operations within the cloud environment.
Check if snapshot contained sensitive information and investigate aws account that shared it.

ATT&CK Tactic	Exfiltration (TA0010)
ATT&CK Technique	Transfer Data to Cloud Account (T1537)
Severity	Low

A cloud identity has shared a snapshot of an AWS database or storage instance.

Exfiltrate sensitive data that resides on the snapshot.

Check if the identity intended to modify the snapshot.
Check if the identity performed additional malicious operations within the cloud environment.
Check which AWS accounts the snapshot was shared with.