Unusual key management activity

Cortex XSIAM Analytics Alert Reference by Alert name

Product
Cortex XSIAM
Last date published
2025-01-19
Category
Analytics Alert Reference
Index by
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires one of the following data sources:
    • AWS Audit Log
      OR
    • Azure Audit Log
      OR
    • Gcp Audit Log

Detection Modules

Cloud

Detector Tags

ATT&CK Tactic

Credential Access (TA0006)

ATT&CK Technique

Unsecured Credentials (T1552)

Severity

Informational

Description

A cloud Identity performed a key management operation for the first time.

Attacker's Goals

Abuse exposed cryptographic keys to decrypt sensitive information or create digital signatures to craft malicious messages.
Using the decrypted information, the attacker may perform additional activities in an evasive manner.

Investigative actions

  • Check the identity's role designation in the organization.
  • Verify that the identity did not perform any sensitive KMS operation that it shouldn't.