EBS snapshots were created from an EC2 instance

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2025-12-08
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • AWS Audit Log

Detection Modules

Cloud

Detector Tags

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Data from Cloud Storage (T1530)

Severity

Informational

Description

One or more EBS snapshots were created from an EC2 instances.

Attacker's Goals

  • Clone existing compute volumes for exfiltration purposes.
  • This action may be a preliminary action before downloading snapshot blocks or creating volumes from the snapshots.

Investigative actions

  • Confirm that the identity intended to create the described snapshots.
  • Monitor the source instance for additional suspicious activities.
  • Follow further actions done by the identity.

Variations

EBS snapshots were created from an EC2 instance attached one or more volumes with sensitive data

Synopsis

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Data from Cloud Storage (T1530)

Severity

Medium

Description

One or more EBS snapshots were created from an EC2 instances.
The instance has one or more volumes attached containing sensitive data.

Attacker's Goals

  • Clone existing compute volumes for exfiltration purposes.
  • This action may be a preliminary action before downloading snapshot blocks or creating volumes from the snapshots.

Investigative actions

  • Confirm that the identity intended to create the described snapshots.
  • Monitor the source instance for additional suspicious activities.
  • Follow further actions done by the identity.


An unusual creation of EBS snapshots from an EC2 instances

Synopsis

ATT&CK Tactic

Collection (TA0009)

ATT&CK Technique

Data from Cloud Storage (T1530)

Severity

Low

Description

One or more EBS snapshots were created from an EC2 instances.
The operation was not performed by this identity in the last 30 days.

Attacker's Goals

  • Clone existing compute volumes for exfiltration purposes.
  • This action may be a preliminary action before downloading snapshot blocks or creating volumes from the snapshots.

Investigative actions

  • Confirm that the identity intended to create the described snapshots.
  • Monitor the source instance for additional suspicious activities.
  • Follow further actions done by the identity.