T1526 Elastic Security · Elastic

Detect Cloud Service Discovery in Elastic Security

Adversaries who have gained access to a cloud environment may enumerate cloud services, resources, and configurations to identify valuable targets, understand security controls, and plan follow-on actions. This includes enumerating Azure resources via Azure Resource Manager API, Microsoft Graph API calls to list applications and service principals, AWS service enumeration via Pacu or direct CLI, and discovery of security services such as GuardDuty, Defender for Cloud, CloudTrail, and logging configurations. Tools like Stormspotter, AADInternals, and ROADTools automate this reconnaissance and are commonly observed in pre-ransomware and espionage campaigns.

MITRE ATT&CK

Tactic
Discovery
Technique
T1526 Cloud Service Discovery
Canonical reference
https://attack.mitre.org/techniques/T1526/

Elastic Detection Query

Elastic Security (Elastic)
eql 
sequence by source.user.name, source.ip with maxspan=10m
  [any where event.dataset == "azure.activitylogs" and
   event.outcome == "success" and
   (event.action : ("*/list*","*/read","*/get*") and
    not event.category : ("Policy","Alert","Autoscale"))]
  with runs=20
medium severity medium confidence

Detects cloud service enumeration by identifying bulk read/list operations across Azure resources in a short window.

Data Sources

Azure Activity Logs via Elastic integration

Required Tables

logs-azure.activitylogs-*

False Positives & Tuning

  • Cloud infrastructure automation tools (Terraform, Pulumi, Bicep) performing state refresh operations that enumerate all resource types across a subscription
  • Azure Security Center, Microsoft Defender for Cloud, or third-party CSPM platforms performing continuous posture assessments that enumerate resources
  • DevOps pipelines with service principals that run 'az resource list' or similar commands during environment validation steps
  • Cloud governance tools (Azure Policy compliance scans, Azure Advisor) that regularly enumerate resources to generate recommendations
  • IT administrators conducting authorized cloud inventory or migration assessments using tools like Azure Migrate or Azure Resource Graph
Download portable Sigma rule (.yml)

Other platforms for T1526

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Azure Resource Enumeration via Azure CLI

    Expected signal: AzureActivity log entries for each az CLI command with OperationNameValue containing Microsoft.Compute/virtualMachines/read, Microsoft.Network/virtualNetworks/read, Microsoft.Storage/storageAccounts/read, Microsoft.KeyVault/vaults/read, Microsoft.Web/sites/read, Microsoft.ContainerService/managedClusters/read, Microsoft.Security/autoProvisioningSettings/read. Caller will be the authenticated user or service principal. CallerIpAddress will reflect the source machine's IP.

  2. Test 2Entra ID Enumeration via AADInternals PowerShell Module

    Expected signal: AuditLogs entries with Category='Core Directory' for tenant and domain read operations. User-Agent field in AdditionalDetails will contain 'AADInternals'. SigninLogs will show authentication events for the token acquisition. MicrosoftGraphActivityLogs (if enabled) will show HTTP GET requests to /v1.0/organization, /v1.0/domains, /v1.0/servicePrincipals with User-Agent='AADInternals'.

  3. Test 3Microsoft Graph API Service Principal Enumeration via PowerShell

    Expected signal: AuditLogs entries: OperationName='List servicePrincipals', 'List applications', 'List directoryRoles', 'Get organization', 'Get policy' with Category='Core Directory' and 'ApplicationManagement'. InitiatedBy will reflect the authenticated user. MicrosoftGraphActivityLogs will show GET requests to /v1.0/servicePrincipals, /v1.0/applications, /v1.0/directoryRoles, /v1.0/organization, /v1.0/policies/authorizationPolicy.

  4. Test 4AWS Cloud Service Discovery via Pacu Framework

    Expected signal: AWS CloudTrail logs: DescribeTrails, ListDetectors, DescribeInstances, ListRoles, ListBuckets, ListFunctions, ListClusters, ListSecrets events with eventSource matching cloudtrail.amazonaws.com, guardduty.amazonaws.com, ec2.amazonaws.com, iam.amazonaws.com, s3.amazonaws.com, lambda.amazonaws.com, ecs.amazonaws.com, secretsmanager.amazonaws.com. userAgent will contain 'aws-cli'. sourceIPAddress will reflect the caller's IP.

Last updated: 2026-03-15 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1526 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1069.003Cloud GroupsT1087.004Cloud AccountT1562.008Disable or Modify Cloud LogsT1562.001Disable or Modify ToolsT1078.004Cloud AccountsT1098.003Additional Cloud RolesT1613Container and Resource DiscoveryT1530Data from Cloud StorageT1552.008Chat Messages

Same Tactic: Discovery

Popular Detections