Data from Cloud Storage T1530
Tactic: Collection
Adversaries may access data from cloud storage.
Events covered
4 catalog events are tagged with this technique by at least one rule.
| Provider | Event | Title |
|---|---|---|
| Sysmon | Event ID 11 | FileCreate |
| Sysmon | Event ID 23 | FileDelete (File Delete archived) |
| Sysmon | Event ID 26 | FileDeleteDetected (File Delete logged) |
| Security-Auditing | Event ID 4663 | An attempt was made to access an object. |
Authoring guide
Patterns shared across the 80 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.
Fields filtered most (115 distinct)
The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.
Top indicator values (373 distinct)
Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.
Exclusions (39 distinct)
Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.
Rules under this technique
Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.
Elastic 22 rules
- AWS API Activity from Uncommon S3 Client by Rare User
- AWS CloudTrail Log Created
- AWS CloudTrail Log Updated
- AWS DynamoDB Scan by Unusual User
- AWS EC2 Export Task
- AWS S3 Bucket Enumeration or Brute Force
- AWS S3 Bucket Policy Added to Allow Public Access
- AWS S3 Bucket Policy Added to Share with External Account
- AWS S3 Credential File Retrieved from Bucket
- AWS S3 Rapid Bucket Posture API Calls from a Single Principal
- AWS S3 Unauthenticated Bucket Access by Rare Source
- AWS SNS Rare Protocol Subscription by User
- Azure Storage Account Blob Public Access Enabled
- Azure Storage Blob Retrieval via AzCopy
- GCP Pub/Sub Subscription Creation
- GCP Pub/Sub Topic Creation
- Google Workspace Drive Encryption Key(s) Accessed from Anonymous User
- Kubernetes Secret or ConfigMap Access via Azure Arc Proxy
- M365 OneDrive/SharePoint Excessive File Downloads
- M365 Purview DLP Signal
- M365 SharePoint Search for Sensitive Content
- M365 SharePoint/OneDrive File Access via PowerShell
Splunk 10 rules
- Cisco ASA - Device File Copy Activity
- Detect GCP Storage access from a new IP
- Detect New Open GCP Storage Buckets
- Detect New Open S3 buckets
- Detect New Open S3 Buckets over AWS CLI
- Detect S3 access from a new IP
- Detect Spike in S3 Bucket deletion
- O365 Exfiltration via File Access
- O365 Exfiltration via File Download
- O365 Exfiltration via File Sync Download
Kusto 10 rules
- AWS Security Hub - Detect SQS Queue policy allowing public access
- AWSCloudTrail - S3 Object Exfiltration from Anonymous User
- Box - Abmormal user activity
- GCP Audit Logs - Storage Bucket Made Public
- Netskope - Excessive Downloads Detection (Spike vs Baseline)
- Netskope - Heavy Personal Cloud Storage Usage (Shadow IT)
- Pathlock TDnR - Credit Card Data Changes
- Suspicious access of BEC related documents
- Suspicious access of BEC related documents in AWS S3 buckets
- Users searching for VIP user activity
Panther 38 rules
- Anthropic Integration Connected
- AppOmni Alert Passthrough
- AWS CloudTrail S3 Bucket Access Logging
- AWS CloudTrail S3 Bucket Public
- AWS DynamoDB Table TTL
- AWS EC2 Volume Snapshot Encryption
- AWS RDS Instance Encryption
- AWS Redshift Cluster Encryption
- AWS S3 Access IP Allowlist
- AWS S3 Bucket Encryption
- AWS S3 Bucket Policy Allow With Not Principal
- AWS S3 Bucket Principal Restrictions
- AWS S3 Bucket Public Access Block
- AWS S3 Bucket Public Read
- AWS S3 Bucket Secure Access
- AWS S3 Insecure Access
- AWS S3 Unauthenticated Access
- AWS S3 Unknown Requester
- Azure Key Vault Certificate Accessed
- Azure Key Vault Secret Accessed or Recovered
- Azure Storage Account Keys Listed
- Azure Storage Blob Anonymous Access Enabled
- Azure Storage Blob Bulk Extraction
- Azure Storage File Share Created or Modified
- Azure VM Disk SAS URI Generated
- Databricks Repeated Unauthorized UC Data Requests
- GCP GCS Bulk Object Rewrite Operation
- GCP GCS IAM Permission Changes
- GCS Bucket Made Public
- Kubernetes Admission Controller Webhook Created
- Kubernetes All Secrets Dumped Across Namespaces
- Kubernetes Data Copy via kubectl cp
- Salesforce API Anomaly Detection (RET Passthrough)
- Salesforce Bulk API Data Exfiltration
- Slack Enterprise Key Management Unenrolled
- Snowflake Data Exfiltration
- Snowflake Data Exfiltration
- Upwind Posture Detection Passthrough