Cloud Infrastructure Discovery T1580

Events covered

3 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 42 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (81 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Top indicator values (303 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Exclusions (33 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 2 rules

• Many AccessDenied Errors from Single Source
• Potential Bucket Enumeration on AWS

Elastic 21 rules

• AWS Account Discovery By Rare User
• AWS Discovery API Calls from VPN ASN for the First Time by Identity
• AWS Discovery API Calls via CLI from a Single Resource
• AWS EC2 Deprecated AMI Discovery
• AWS EC2 Multi-Region DescribeInstances API Calls
• AWS EC2 User Data Retrieval for EC2 Instance
• AWS S3 Bucket Enumeration or Brute Force
• AWS S3 Rapid Bucket Posture API Calls from a Single Principal
• AWS Service Quotas Multi-Region GetServiceQuota Requests
• AWS SSM Inventory Reconnaissance by Rare User
• Entra ID Sign-in BloodHound Suite User-Agent Detected
• Entra ID Sign-in TeamFiltration User-Agent Detected
• Rare AWS Error Code
• Rare Azure Activity Logs Event Failures
• Rare GCP Audit Failure Event Code
• Spike in AWS Error Messages
• Spike in Azure Activity Logs Failed Messages
• Spike in GCP Audit Failed Messages
• Suspicious Instance Metadata Service (IMDS) API Command Line Execution
• Suspicious Instance Metadata Service (IMDS) API Request
• Unusual Windows Process Calling the Metadata Service

Splunk 5 rules

• ASL AWS IAM AccessDenied Discovery Events
• ASL AWS IAM Assume Role Policy Brute Force
• AWS Bedrock High Number List Foundation Model Failures
• AWS IAM AccessDenied Discovery Events
• AWS IAM Assume Role Policy Brute Force

Kusto 7 rules

• API - Kiterunner detection
• AWSCloudTrail - Monitor AWS Credential abuse or hijacking
• AWSCloudTrail - User IAM Enumeration
• Dataverse - Suspicious use of Web API
• Dataverse - TI map IP to DataverseActivity
• OCI - Discovery activity
• Unauthorized user access across AWS and Azure

YARA-L 4 rules

• AWS EC2 High Number Of API Calls
• AWS Excessive Successful Discovery Events
• AWS IAM Access Denied Discovery Events
• GCP Excessive Permission Denied Events

Panther 3 rules

• AWS CloudTrail SES Enumeration
• AWS EC2 Download Instance User Data
• AWS RDS Snapshot Enumeration with Public or Shared Flag