EBS volume attachment attempt

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2025-11-12
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

5 Days

Required Data

  • Requires:
    • AWS Audit Log

Detection Modules

Cloud

Detector Tags

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Modify Cloud Compute Infrastructure (T1578)

Severity

Informational

Description

An attempt was made to attach an EBS volume to an EC2 instance.

Attacker's Goals

Attach a volume to a cloud instance to exfiltrate sensitive data stored on EBS volumes.

Investigative actions

  • Review recent activity related to the identity, the attached volume and the cloud instance.

Variations

EBS volume attachment attempt for volume with sensitive data

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Modify Cloud Compute Infrastructure (T1578)

Severity

Medium

Description

An attempt was made to attach an EBS volume with sensitive data to an EC2 instance.

Attacker's Goals

Attach a volume to a cloud instance to exfiltrate sensitive data stored on EBS volumes.

Investigative actions

  • Review recent activity related to the identity, the attached volume and the cloud instance.


EBS volume attachment attempt using Cloud Formation or Terraform

Synopsis

ATT&CK Tactic

Defense Evasion (TA0005)

ATT&CK Technique

Modify Cloud Compute Infrastructure (T1578)

Severity

Informational

Description

An attempt was made to attach an EBS volume to an EC2 instance.

Attacker's Goals

Attach a volume to a cloud instance to exfiltrate sensitive data stored on EBS volumes.

Investigative actions

  • Review recent activity related to the identity, the attached volume and the cloud instance.