Alert Pack: Cloud Infrastructure Discovery (MITRE Att&ck Technique: T1580)

[ 1 Purpose ] [ 2 Prerequisites ] [ 3 Open alert pack ] [ 4 Use alert pack ]

Purpose

This alert pack will let you know when the attackers are looking for valuable information about your clouds and can help your team respond to all discovery threats.

Security Operations application SecOps users can obtain detailed information if they install these alerts using the Content Manager instead.
SecOpsGCPAuditUnauthorizedAPICalls	SecOpsGCPAuditListQueues	SecOpsGCPPossibleReconnaissanceActivity
SecOpsGCPPortScan	SecOpsGCPGCPloitExploitationFrameworkActivity	SecOpsAwsCloudTrailReconEvent
SecOpsGCPPortSweep

What is Infrastructure discovery?

An adversary may attempt to discover infrastructure and resources that are available within an infrastructure-as-a-service (IaaS) environment. This includes compute service resources such as instances, virtual machines, and snapshots as well as resources of other services including the storage and database services.

Prerequisites

To use this alert pack, you must have the following data sources available on your domain:

cloud.aws.cloudtrail ^{learn more}
cloud.gcp.compute.firewall ^{learn more}
cloud.gcp ^{learn more}

Open alert pack

Once you have installed the alert pack, you can use the Open button at the top right of the card in Exchange to access the Alert configuration, where you can apply filters to find it and later manage it as required. You can also access this area via the Navigation pane (Administration → Alert Configuration → Available alerts).

Use alert pack

The alerts in the alert pack are deactivated by default when the alert pack is installed. Access the Alert configuration area to activate those you need and assign sending policies to receive them through the desired channels.