An identity accessed a backup cloud storage

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2026-01-04

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires one of the following data sources: AWS Audit Log OR Azure Audit Log OR Gcp Audit Log
Detection Modules	Cloud
Detector Tags	Cloud Data Asset Exfiltration
ATT&CK Tactic	Collection (TA0009) Exfiltration (TA0010)
ATT&CK Technique	Data from Cloud Storage (T1530) Automated Exfiltration (T1020)
Severity	Informational

An identity accessed a backup cloud storage.

Exfiltrate data from the cloud environment.

Check the identity which invoked the operation.
Check the accessed resource and verify it doesn't contain sensitive data.

ATT&CK Tactic

ATT&CK Technique

Severity

Low

An identity accessed a backup cloud storage.

Exfiltrate data from the cloud environment.

Check the identity which invoked the operation.
Check the accessed resource and verify it doesn't contain sensitive data.