T1059.009 Cloud API Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let SuspiciousAPICalls = dynamic([
  "CreateUser", "AttachUserPolicy", "CreateAccessKey",
  "CreateRole", "AssumeRole", "GetSessionToken",
  "PutBucketPolicy", "DeleteBucketPolicy",
  "CreateFunction", "UpdateFunctionCode",
  "RunInstances", "CreateKeyPair",
  "StopLogging", "DeleteTrail", "PutEventSelectors",
  "DisableGuardDuty", "DeleteDetector",
  "CreateGroup", "AddMemberToGroup",
  "InviteUser", "AddMember",
  "roleDefinitions/write", "roleAssignments/write"
]);
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName has_any (SuspiciousAPICalls)
| union (
  AzureActivity
  | where TimeGenerated > ago(24h)
  | where OperationNameValue has_any ("roleDefinitions/write", "roleAssignments/write", "Microsoft.Compute/virtualMachines/write")
)
| union (
  AWSCloudTrail
  | where TimeGenerated > ago(24h)
  | where EventName has_any (SuspiciousAPICalls)
  | where UserIdentityType != "AssumedRole" or isnotempty(ErrorCode)
)
| project TimeGenerated, OperationName, Identity, CallerIpAddress, ResultType, ResultDescription
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Cloud Service: Cloud Service Enumeration User Account: User Account Modification Application Log: Application Log Content

Required Tables

AuditLogs AzureActivity AWSCloudTrail

False Positives

Cloud administrators creating IAM users and roles during onboarding or infrastructure provisioning
Infrastructure-as-Code tools (Terraform, CloudFormation, Pulumi) creating cloud resources programmatically
CI/CD pipelines deploying Lambda functions or updating compute resources

Splunk

spl

index=aws sourcetype="aws:cloudtrail"
  (eventName="CreateUser" OR eventName="AttachUserPolicy" OR eventName="CreateAccessKey" OR eventName="CreateRole" OR eventName="AssumeRole" OR eventName="StopLogging" OR eventName="DeleteTrail" OR eventName="PutEventSelectors" OR eventName="RunInstances" OR eventName="CreateFunction" OR eventName="UpdateFunctionCode" OR eventName="CreateKeyPair" OR eventName="DisableGuardDuty" OR eventName="DeleteDetector")
| eval IAMChange=if(match(eventName, "(CreateUser|AttachUserPolicy|CreateAccessKey|CreateRole)"), 1, 0)
| eval SecurityDisable=if(match(eventName, "(StopLogging|DeleteTrail|PutEventSelectors|DisableGuardDuty|DeleteDetector)"), 1, 0)
| eval PrivEsc=if(match(eventName, "(AssumeRole|AttachUserPolicy)"), 1, 0)
| eval ComputeCreate=if(match(eventName, "(RunInstances|CreateFunction|UpdateFunctionCode)"), 1, 0)
| eval SuspicionScore=IAMChange*2 + SecurityDisable*3 + PrivEsc*2 + ComputeCreate
| where SuspicionScore > 0
| table _time, eventName, userIdentity.arn, sourceIPAddress, awsRegion, errorCode, IAMChange, SecurityDisable, PrivEsc, ComputeCreate, SuspicionScore
| sort - SuspicionScore, - _time

high severity medium confidence

Data Sources

Cloud Service: Cloud Service Enumeration User Account: User Account Modification AWS CloudTrail

Required Sourcetypes

aws:cloudtrail

False Positives

Cloud administrators creating IAM users and roles during onboarding
Infrastructure-as-Code tools (Terraform, CloudFormation) provisioning resources
CI/CD pipelines deploying Lambda functions or compute resources

Elastic Security (EQL)

eql

any where event.dataset in ("aws.cloudtrail", "azure.activitylogs", "azure.auditlogs") and
(
  event.action in (
    "CreateUser", "AttachUserPolicy", "CreateAccessKey",
    "CreateRole", "AssumeRole", "GetSessionToken",
    "PutBucketPolicy", "DeleteBucketPolicy",
    "CreateFunction", "UpdateFunctionCode",
    "RunInstances", "CreateKeyPair",
    "StopLogging", "DeleteTrail", "PutEventSelectors",
    "DisableGuardDuty", "DeleteDetector",
    "CreateGroup", "AddMemberToGroup"
  ) or
  event.action like~ "*roleDefinitions/write*" or
  event.action like~ "*roleAssignments/write*" or
  event.action like~ "*virtualMachines/write*"
)

high severity high confidence

Data Sources

AWS CloudTrail Azure Activity Logs Azure Audit Logs

Required Tables

logs-aws.cloudtrail-* logs-azure.activitylogs-* logs-azure.auditlogs-*

False Positives

DevOps automation pipelines (GitHub Actions, GitLab CI, Jenkins) using dedicated IAM service accounts will generate CreateAccessKey, AssumeRole, and CreateFunction events at predictable intervals aligned with deployment schedules
Infrastructure-as-code tools (Terraform, AWS CDK, Pulumi) executing planned cloud resource provisioning will produce IAM role creation, Lambda function updates, and EC2 instance launches as expected change management activities
Cloud security posture management (CSPM) tools such as Prisma Cloud or Wiz using read-heavy API calls may co-occur with occasional write operations during automated remediation workflows

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  QIDNAME(qid) AS "Event Action",
  username AS "Identity",
  sourceip AS "Source IP",
  CATEGORYNAME(category) AS "Category",
  LOGSOURCENAME(logsourceid) AS "Log Source",
  "deviceCustomString1" AS "Error Code",
  "deviceCustomString2" AS "AWS Region",
  UTF8(payload) AS "Raw Event"
FROM events
WHERE LAST 1 DAYS
  AND (
    LOGSOURCETYPENAME(logsourceid) ILIKE '%cloudtrail%'
    OR LOGSOURCETYPENAME(logsourceid) ILIKE '%azure activity%'
    OR LOGSOURCETYPENAME(logsourceid) ILIKE '%azure audit%'
  )
  AND (
    QIDNAME(qid) IN (
      'CreateUser', 'AttachUserPolicy', 'CreateAccessKey', 'CreateRole',
      'AssumeRole', 'GetSessionToken', 'PutBucketPolicy', 'DeleteBucketPolicy',
      'CreateFunction', 'UpdateFunctionCode', 'RunInstances', 'CreateKeyPair',
      'StopLogging', 'DeleteTrail', 'PutEventSelectors',
      'DisableGuardDuty', 'DeleteDetector', 'CreateGroup', 'AddMemberToGroup'
    )
    OR UTF8(payload) ILIKE '%roleDefinitions/write%'
    OR UTF8(payload) ILIKE '%roleAssignments/write%'
    OR UTF8(payload) ILIKE '%virtualMachines/write%'
  )
ORDER BY starttime DESC
LIMIT 500

high severity medium confidence

Data Sources

AWS CloudTrail Azure Activity Logs Azure Audit Logs

Required Tables

events

False Positives

CloudFormation, AWS CDK, or Terraform stack deployments create IAM roles, Lambda functions, and EC2 instances as planned changes — correlate against approved change tickets to exclude these
Authorized cloud security assessments or penetration testing engagements using administrative API calls from known source IPs registered in the SOC allowlist
Service accounts used by cloud inventory or billing tools (CloudHealth, Apptio Cloudability, AWS Cost Explorer automation) that regularly invoke cloud APIs for resource discovery and cost attribution

Sumo Logic CSE

sql

(_sourceCategory=aws/cloudtrail OR _sourceCategory=azure/activity OR _sourceCategory=azure/audit)
| json field=_raw "eventName" as eventName nodrop
| json field=_raw "operationName" as operationName nodrop
| json field=_raw "userIdentity.arn" as userArn nodrop
| json field=_raw "userIdentity.type" as identityType nodrop
| json field=_raw "sourceIPAddress" as sourceIP nodrop
| json field=_raw "awsRegion" as awsRegion nodrop
| json field=_raw "errorCode" as errorCode nodrop
| json field=_raw "errorMessage" as errorMessage nodrop
| where eventName in ("CreateUser", "AttachUserPolicy", "CreateAccessKey", "CreateRole", "AssumeRole", "GetSessionToken", "PutBucketPolicy", "DeleteBucketPolicy", "CreateFunction", "UpdateFunctionCode", "RunInstances", "CreateKeyPair", "StopLogging", "DeleteTrail", "PutEventSelectors", "DisableGuardDuty", "DeleteDetector", "CreateGroup", "AddMemberToGroup") OR operationName matches /roleDefinitions\/write|roleAssignments\/write|virtualMachines\/write/
| eval iam_change = if(eventName in ("CreateUser", "AttachUserPolicy", "CreateAccessKey", "CreateRole"), 1, 0)
| eval security_disable = if(eventName in ("StopLogging", "DeleteTrail", "PutEventSelectors", "DisableGuardDuty", "DeleteDetector"), 1, 0)
| eval priv_esc = if(eventName in ("AssumeRole", "AttachUserPolicy"), 1, 0)
| eval compute_create = if(eventName in ("RunInstances", "CreateFunction", "UpdateFunctionCode"), 1, 0)
| eval suspicion_score = iam_change * 2 + security_disable * 3 + priv_esc * 2 + compute_create
| where suspicion_score > 0
| table _messageTime, eventName, operationName, userArn, identityType, sourceIP, awsRegion, errorCode, errorMessage, iam_change, security_disable, priv_esc, compute_create, suspicion_score
| sort by suspicion_score desc

high severity high confidence

Data Sources

AWS CloudTrail Azure Activity Logs

Required Tables

_sourceCategory=aws/cloudtrail _sourceCategory=azure/activity _sourceCategory=azure/audit

False Positives

Automated deployment pipelines using IAM roles will generate AssumeRole and CreateFunction events at expected intervals aligned with release schedules — create a Sumo Logic allowlist lookup table for known pipeline ARNs
On-call engineers using aws CLI to investigate live incidents will generate GetSessionToken and AssumeRole events from residential or mobile IP addresses outside corporate egress ranges during after-hours emergencies
Multi-account AWS Organizations setups where a central management account routinely creates and attaches policies to delegated accounts via IAM automation will produce high volumes of legitimate AttachUserPolicy and CreateRole events

Google Chronicle / SecOps

yaral

rule suspicious_cloud_api_abuse_t1059_009 {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects suspicious cloud API calls indicative of T1059.009 abuse covering IAM manipulation, security control disabling, and compute provisioning via AWS and Azure provider APIs"
    mitre_attack_tactic = "Execution"
    mitre_attack_technique = "T1059.009"
    severity = "HIGH"
    confidence = "HIGH"
    priority = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1059/009/"

  events:
    (
      $e.metadata.product_name = "AWS CloudTrail" or
      $e.metadata.product_name = "Azure Activity" or
      $e.metadata.product_name = "Azure Audit"
    )
    re.regex($e.target.resource.name,
      `(?i)(CreateUser|AttachUserPolicy|CreateAccessKey|CreateRole|AssumeRole|GetSessionToken|PutBucketPolicy|DeleteBucketPolicy|CreateFunction|UpdateFunctionCode|RunInstances|CreateKeyPair|StopLogging|DeleteTrail|PutEventSelectors|DisableGuardDuty|DeleteDetector|CreateGroup|AddMemberToGroup|roleDefinitions/write|roleAssignments/write|virtualMachines/write)`
    )
    $e.principal.ip = $src_ip
    $e.principal.user.userid = $actor

  condition:
    $e
}

high severity high confidence

Data Sources

AWS CloudTrail Azure Activity Logs Azure Audit Logs

Required Tables

AWS CloudTrail UDM ingestion feed Azure Activity UDM ingestion feed

False Positives

Authorized cloud infrastructure automation using service accounts with broad permissions — Terraform pipelines running role creation and Lambda deployment generate expected IAM events that should be excluded via allowlist on principal.user.userid
Cloud security posture management tools with automated remediation capabilities may legitimately invoke StopLogging or modify role policies as part of auto-fix workflows triggered by compliance violations
AWS Organizations management accounts performing bulk cross-account role assignments during onboarding of new member accounts will produce high-volume legitimate roleAssignments/write and CreateRole events

CrowdStrike LogScale (CQL)

cql

#kind = "CloudAuditActivity"
| eventName != ""
| eventName = /CreateUser|AttachUserPolicy|CreateAccessKey|CreateRole|AssumeRole|GetSessionToken|PutBucketPolicy|DeleteBucketPolicy|CreateFunction|UpdateFunctionCode|RunInstances|CreateKeyPair|StopLogging|DeleteTrail|PutEventSelectors|DisableGuardDuty|DeleteDetector|CreateGroup|AddMemberToGroup/
| iamChange := case {
    eventName = /CreateUser|AttachUserPolicy|CreateAccessKey|CreateRole/ => 1 ;
    * => 0
  }
| securityDisable := case {
    eventName = /StopLogging|DeleteTrail|PutEventSelectors|DisableGuardDuty|DeleteDetector/ => 1 ;
    * => 0
  }
| privEsc := case {
    eventName = /AssumeRole|AttachUserPolicy/ => 1 ;
    * => 0
  }
| computeCreate := case {
    eventName = /RunInstances|CreateFunction|UpdateFunctionCode/ => 1 ;
    * => 0
  }
| suspicionScore := iamChange * 2 + securityDisable * 3 + privEsc * 2 + computeCreate
| suspicionScore > 0
| groupBy(
    [eventName, userIdentity, sourceIPAddress, awsRegion, cloudProvider],
    function=[
      count(as=eventCount),
      max(field=suspicionScore, as=maxScore),
      collect(field=errorCode, limit=10)
    ]
  )
| sort(maxScore, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon Horizon AWS CloudTrail via Falcon Cloud Security Azure Activity via Falcon Cloud Security

Required Tables

CloudAuditActivity

False Positives

Falcon Horizon reports legitimate AssumeRole events from cross-account access patterns used by centralized security tooling or AWS Organizations management accounts — add these known role ARNs to a suppression list in the Falcon console
Automated remediation rules in Falcon Cloud Security may themselves trigger RunInstances or UpdateFunctionCode API calls when auto-remediating misconfigurations, creating feedback loop detections that should be filtered by the Falcon service principal identity
CI/CD pipeline service accounts with overly broad IAM permissions generate IAM-related API calls during normal deployment cycles — apply allowlisting on userIdentity for known deployment automation accounts to reduce noise

Cloud API

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Execution

Popular Detections