T1526 CrowdStrike LogScale · LogScale

Detect Cloud Service Discovery in CrowdStrike LogScale

Adversaries who have gained access to a cloud environment may enumerate cloud services, resources, and configurations to identify valuable targets, understand security controls, and plan follow-on actions. This includes enumerating Azure resources via Azure Resource Manager API, Microsoft Graph API calls to list applications and service principals, AWS service enumeration via Pacu or direct CLI, and discovery of security services such as GuardDuty, Defender for Cloud, CloudTrail, and logging configurations. Tools like Stormspotter, AADInternals, and ROADTools automate this reconnaissance and are commonly observed in pre-ransomware and espionage campaigns.

MITRE ATT&CK

Tactic
Discovery
Technique
T1526 Cloud Service Discovery
Canonical reference
https://attack.mitre.org/techniques/T1526/

LogScale Detection Query

CrowdStrike LogScale (LogScale)
cql 
#event_simpleName = "CloudApiCall"
| CloudApiAction = /(List|Get|Describe|Enumerate)/i
| stats count() as OperationCount, dc(CloudApiService) as DistinctServices, values(CloudApiAction) as Actions
        by UserName, RemoteAddressIP4, span(timestamp, 10m)
| where OperationCount >= 20 OR DistinctServices >= 8
| eval RiskScore = if(DistinctServices >= 15, "Critical", if(DistinctServices >= 8 OR OperationCount >= 50, "High", "Medium"))
| table timestamp, UserName, RemoteAddressIP4, OperationCount, DistinctServices, RiskScore, Actions
| sort by DistinctServices desc
medium severity medium confidence

Detects bulk cloud service discovery via CrowdStrike Falcon cloud API call telemetry.

Data Sources

CrowdStrike Falcon Cloud Security

Required Tables

CloudApiCall

False Positives & Tuning

  • Cloud infrastructure automation tools (Terraform, Pulumi, Bicep) performing state refresh operations that enumerate all resource types across a subscription
  • Azure Security Center, Microsoft Defender for Cloud, or third-party CSPM platforms performing continuous posture assessments that enumerate resources
  • DevOps pipelines with service principals that run 'az resource list' or similar commands during environment validation steps
  • Cloud governance tools (Azure Policy compliance scans, Azure Advisor) that regularly enumerate resources to generate recommendations
  • IT administrators conducting authorized cloud inventory or migration assessments using tools like Azure Migrate or Azure Resource Graph
Download portable Sigma rule (.yml)

Other platforms for T1526

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Azure Resource Enumeration via Azure CLI

    Expected signal: AzureActivity log entries for each az CLI command with OperationNameValue containing Microsoft.Compute/virtualMachines/read, Microsoft.Network/virtualNetworks/read, Microsoft.Storage/storageAccounts/read, Microsoft.KeyVault/vaults/read, Microsoft.Web/sites/read, Microsoft.ContainerService/managedClusters/read, Microsoft.Security/autoProvisioningSettings/read. Caller will be the authenticated user or service principal. CallerIpAddress will reflect the source machine's IP.

  2. Test 2Entra ID Enumeration via AADInternals PowerShell Module

    Expected signal: AuditLogs entries with Category='Core Directory' for tenant and domain read operations. User-Agent field in AdditionalDetails will contain 'AADInternals'. SigninLogs will show authentication events for the token acquisition. MicrosoftGraphActivityLogs (if enabled) will show HTTP GET requests to /v1.0/organization, /v1.0/domains, /v1.0/servicePrincipals with User-Agent='AADInternals'.

  3. Test 3Microsoft Graph API Service Principal Enumeration via PowerShell

    Expected signal: AuditLogs entries: OperationName='List servicePrincipals', 'List applications', 'List directoryRoles', 'Get organization', 'Get policy' with Category='Core Directory' and 'ApplicationManagement'. InitiatedBy will reflect the authenticated user. MicrosoftGraphActivityLogs will show GET requests to /v1.0/servicePrincipals, /v1.0/applications, /v1.0/directoryRoles, /v1.0/organization, /v1.0/policies/authorizationPolicy.

  4. Test 4AWS Cloud Service Discovery via Pacu Framework

    Expected signal: AWS CloudTrail logs: DescribeTrails, ListDetectors, DescribeInstances, ListRoles, ListBuckets, ListFunctions, ListClusters, ListSecrets events with eventSource matching cloudtrail.amazonaws.com, guardduty.amazonaws.com, ec2.amazonaws.com, iam.amazonaws.com, s3.amazonaws.com, lambda.amazonaws.com, ecs.amazonaws.com, secretsmanager.amazonaws.com. userAgent will contain 'aws-cli'. sourceIPAddress will reflect the caller's IP.

Last updated: 2026-03-15 Research depth: deep
References (12)

Unlock Pro Content

Get the full detection package for T1526 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1069.003Cloud GroupsT1087.004Cloud AccountT1562.008Disable or Modify Cloud LogsT1562.001Disable or Modify ToolsT1078.004Cloud AccountsT1098.003Additional Cloud RolesT1613Container and Resource DiscoveryT1530Data from Cloud StorageT1552.008Chat Messages

Same Tactic: Discovery

Popular Detections