AWS EBS discovery operation

Cortex XSIAM Analytics Alert Reference by Alert name

Product: Cortex XSIAM
Last date published: 2026-01-27
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: AWS Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Cloud Infrastructure Discovery (T1580) Cloud Storage Object Discovery (T1619)
Severity	Informational

Description

AWS EBS discovery operation.

Attacker's Goals

Locate valuable data, understand storage configurations, and identify snapshots that can be copied or shared.
Support data exfiltration, lateral movement, or persistence through volume or snapshot manipulation.

Investigative actions

Verify if the identity typically queries EBS volumes or snapshots in this environment.
Check whether this activity is part of expected workflows (e.g., backup validation, provisioning) or appears anomalous.
Review surrounding activity for other discovery calls to assess broader enumeration behavior.
Examine whether the activity was followed by potential exfiltration steps, such as copying a snapshot cross-region or sharing it externally.