Uncommon access to cloud platforms' sensitive files by a scripting engine

Cortex XSIAM Analytics Alert Reference by Alert name
Product
Cortex XSIAM
Last date published
2025-11-12
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • XDR Agent with eXtended Threat Hunting (XTH)

Detection Modules

Detector Tags

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Credentials from Password Stores (T1555)

Severity

Informational

Description

A scripting engine has accessed sensitive cloud platforms' files.

Attacker's Goals

Gain access/control over internal cloud platform or repositories.

Investigative actions

  • Investigate if the behavior is known to the user or part of known product's procedure.
  • Investigate if the actor processes command line contains malicious indicators or a script file.

Variations

Uncommon access to cloud platforms' sensitive files by an uncommon script or utility

Synopsis

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Credentials from Password Stores (T1555)

Severity

Low

Description

A scripting engine has accessed sensitive cloud platforms' files.

Attacker's Goals

Gain access/control over internal cloud platform or repositories.

Investigative actions

  • Investigate if the behavior is known to the user or part of known product's procedure.
  • Investigate if the actor processes command line contains malicious indicators or a script file.