Unusual cloud identity impersonation

Cortex XSIAM Analytics Alert Reference by Alert name

Product

Cortex XSIAM

Last date published

2025-10-27

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	5 Days
Required Data	Requires one of the following data sources: AWS Audit Log OR Gcp Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Privilege Escalation (TA0004) Defense Evasion (TA0005) Initial Access (TA0001)
ATT&CK Technique	Valid Accounts: Cloud Accounts (T1078.004) Abuse Elevation Control Mechanism: Temporary Elevated Cloud Access (T1548.005) Trusted Relationship (T1199)
Severity	Informational

Description

A cloud identity attempted to impersonate another identity for the first time.

Attacker's Goals

Escalate privileges and bypass access controls
Avoid detection throughout their compromise.

Investigative actions

Check the identity's designation.
Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.

Variations

Unusual cloud identity impersonation of a management role

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

A cloud identity attempted to impersonate a management role for the first time.

Attacker's Goals

Escalate privileges and bypass access controls
Avoid detection throughout their compromise.

Investigative actions

Check the identity's designation.
Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.

Unusual cloud identity impersonation by an identity with high administrative activity

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

A cloud identity with high administrative activity attempted to impersonate another identity for the first time.

Attacker's Goals

Escalate privileges and bypass access controls
Avoid detection throughout their compromise.

Investigative actions

Check the identity's designation.
Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.

Suspicious cloud identity impersonation was succeeded

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Medium

Description

A cloud identity has impersonated another identity for the first time.

Attacker's Goals

Escalate privileges and bypass access controls
Avoid detection throughout their compromise.

Investigative actions

Check the identity's designation.
Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.

Suspicious cloud identity impersonation was failed

Synopsis

ATT&CK Tactic

ATT&CK Technique

Severity

Informational

Description

A cloud identity has failed to impersonate another identity.

Attacker's Goals

Escalate privileges and bypass access controls
Avoid detection throughout their compromise.

Investigative actions

Check the identity's designation.
Verify that the identity did not perform any sensitive operation on behalf of the impersonated identity.