Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
N/A (single event) |
Deduplication Period |
1 Day |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
Cloud Data Asset Disaster Recovery Risks, Cloud Data Asset Configuration |
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
A cloud identity has created or modified a cloud snapshot.
Attacker's Goals
Exfiltrate sensitive data that resides on the snapshot.
Investigative actions
- Check if the identity intended to create or modify the snapshot.
- Check if the identity performed additional malicious operations within the cloud environment.
Variations
Cloud snapshot was publicly sharedCloud snapshot was shared with unusual AWS account(s)
Previously unseen GCP principal was bound to cloud snapshot