Which SIEM platforms have a T1530 detection rule?

df00tech provides T1530 (Data from Cloud Storage) detection queries for 7 SIEM platforms: Microsoft Sentinel / Defender, Splunk, Elastic Security (EQL), IBM QRadar (AQL), Sumo Logic CSE, Google Chronicle / SecOps, CrowdStrike LogScale (CQL).

What data sources are required to detect Data from Cloud Storage (T1530)?

Detecting Data from Cloud Storage requires the following data sources: Cloud Storage: Cloud Storage Access, Application Log: Application Log Content, Microsoft 365 Unified Audit Logs, Azure Storage Diagnostic Logs, Azure Activity Logs.

What severity and confidence is the T1530 detection?

The T1530 detection is rated high severity with medium confidence.

What are common false positives for T1530?

Common false positives for T1530 include: Backup and migration tools (ShareGate, AvePoint, Metalogix) performing scheduled bulk downloads of SharePoint or OneDrive content during off-hours maintenance windows; Microsoft Purview eDiscovery operations and DLP scanning agents accessing large volumes of OneDrive files for compliance indexing or legal hold processing; Azure Blob containers legitimately configured for anonymous public access as static website hosting origins or CDN source buckets — anonymous access is expected and intended.

T1530 IBM QRadar · QRadar

Detect Data from Cloud Storage in IBM QRadar

Adversaries access data from cloud storage services including IaaS object stores (Amazon S3, Azure Blob Storage, Google Cloud Storage) and SaaS platform storage (OneDrive, SharePoint, Google Drive, Dropbox). Attack vectors include exploiting misconfigured public bucket access, using compromised credentials or SAS tokens, abusing overly permissive IAM roles, and automated tools such as Rclone, Pacu, and AADInternals for bulk extraction. Threat actors observed using this technique include Fox Kitten, APT42, HAFNIUM, Scattered Spider, and Storm-0501 — the latter specifically modifying Azure Storage account configurations to expose non-remotely accessible accounts for data exfiltration. Misconfigurations enabling anonymous or overly broad access have led to exposure of PII, medical records, and financial data at scale.

MITRE ATT&CK

Tactic: Collection
Technique: T1530 Data from Cloud Storage
Canonical reference: https://attack.mitre.org/techniques/T1530/

QRadar Detection Query

IBM QRadar (QRadar)

sql

SELECT
  DATEFORMAT((starttime / 1800000) * 1800000, 'YYYY-MM-dd HH:mm:ss') AS time_bucket,
  username AS actor,
  sourceip AS source_ip,
  LOGSOURCETYPENAME(logsourceid) AS platform,
  COUNT(*) AS total_requests,
  SUM(CASE
    WHEN QIDNAME(qid) LIKE '%GetObject%'
      OR QIDNAME(qid) LIKE '%FileDownload%'
      OR QIDNAME(qid) LIKE '%FileSyncDownload%'
    THEN 1 ELSE 0 END) AS download_count,
  SUM(CASE
    WHEN QIDNAME(qid) LIKE '%ListBucket%'
      OR QIDNAME(qid) LIKE '%ListObjects%'
      OR QIDNAME(qid) LIKE '%GetBucketAcl%'
      OR QIDNAME(qid) LIKE '%GetBucketPolicy%'
    THEN 1 ELSE 0 END) AS enum_count,
  SUM(CASE
    WHEN UTF8(payload) ILIKE '%AnonUser%'
      OR UTF8(payload) ILIKE '%"type":"Anonymous%'
      OR UTF8(payload) ILIKE '%principalId":"anonymous%'
    THEN 1 ELSE 0 END) AS anon_count,
  MAX(CASE
    WHEN UTF8(payload) ILIKE '%rclone%'
      OR UTF8(payload) ILIKE '%pacu%'
      OR UTF8(payload) ILIKE '%aadInternals%'
      OR UTF8(payload) ILIKE '%boto3%'
      OR UTF8(payload) ILIKE '%python-requests%'
      OR UTF8(payload) ILIKE '%aws-cli/%'
    THEN 1 ELSE 0 END) AS known_tool_detected,
  MAX(CASE
    WHEN UTF8(payload) ILIKE '%listKeys%'
      OR UTF8(payload) ILIKE '%regenerateKey%'
      OR UTF8(payload) ILIKE '%LISTKEYS/ACTION%'
      OR UTF8(payload) ILIKE '%REGENERATEKEY/ACTION%'
    THEN 1 ELSE 0 END) AS storage_key_access,
  (
    CASE WHEN SUM(CASE WHEN UTF8(payload) ILIKE '%AnonUser%' OR UTF8(payload) ILIKE '%"type":"Anonymous%' THEN 1 ELSE 0 END) > 0 THEN 3 ELSE 0 END +
    CASE WHEN SUM(CASE WHEN QIDNAME(qid) LIKE '%GetObject%' OR QIDNAME(qid) LIKE '%FileDownload%' THEN 1 ELSE 0 END) > 500 THEN 3
         WHEN SUM(CASE WHEN QIDNAME(qid) LIKE '%GetObject%' OR QIDNAME(qid) LIKE '%FileDownload%' THEN 1 ELSE 0 END) > 100 THEN 2
         WHEN SUM(CASE WHEN QIDNAME(qid) LIKE '%GetObject%' OR QIDNAME(qid) LIKE '%FileDownload%' THEN 1 ELSE 0 END) > 50 THEN 1
         ELSE 0 END +
    CASE WHEN SUM(CASE WHEN QIDNAME(qid) LIKE '%ListBucket%' OR QIDNAME(qid) LIKE '%ListObjects%' THEN 1 ELSE 0 END) > 20 THEN 1 ELSE 0 END +
    CASE WHEN MAX(CASE WHEN UTF8(payload) ILIKE '%rclone%' OR UTF8(payload) ILIKE '%pacu%' OR UTF8(payload) ILIKE '%aadInternals%' THEN 1 ELSE 0 END) = 1 THEN 2 ELSE 0 END
  ) AS suspicion_score
FROM events
WHERE (
    LOGSOURCETYPENAME(logsourceid) LIKE '%CloudTrail%'
    OR LOGSOURCETYPENAME(logsourceid) LIKE '%Office 365%'
    OR LOGSOURCETYPENAME(logsourceid) LIKE '%Azure Activity%'
  )
  AND (
    (UTF8(payload) ILIKE '%s3.amazonaws.com%'
     AND (
       QIDNAME(qid) LIKE '%GetObject%' OR QIDNAME(qid) LIKE '%ListBucket%'
       OR QIDNAME(qid) LIKE '%ListObjects%' OR QIDNAME(qid) LIKE '%GetBucketAcl%'
       OR QIDNAME(qid) LIKE '%GetBucketPolicy%' OR QIDNAME(qid) LIKE '%GetBucketPublicAccess%'
     )
    )
    OR (
      LOGSOURCETYPENAME(logsourceid) LIKE '%Office 365%'
      AND (
        QIDNAME(qid) LIKE '%FileDownload%' OR QIDNAME(qid) LIKE '%FileAccess%'
        OR QIDNAME(qid) LIKE '%FileCop%' OR QIDNAME(qid) LIKE '%FileSyncDownload%'
      )
      AND (UTF8(payload) ILIKE '%OneDrive%' OR UTF8(payload) ILIKE '%SharePoint%')
    )
    OR (
      UTF8(payload) ILIKE '%Microsoft.Storage%'
      AND (
        UTF8(payload) ILIKE '%listKeys%' OR UTF8(payload) ILIKE '%regenerateKey%'
        OR UTF8(payload) ILIKE '%storageAccounts/write%'
      )
    )
  )
GROUP BY (starttime / 1800000) * 1800000, username, sourceip
HAVING download_count > 50
    OR anon_count > 0
    OR known_tool_detected = 1
    OR enum_count > 20
    OR storage_key_access = 1
ORDER BY suspicion_score DESC, time_bucket DESC
LAST 86400 SECONDS

high severity medium confidence

QRadar AQL query aggregating cloud storage access events from AWS CloudTrail, Microsoft Office 365 audit logs, and Azure Activity logs over 30-minute windows. Calculates suspicion score based on anonymous access, download volume, enumeration activity, and known exfiltration tool signatures (rclone, pacu, aadInternals, boto3). Alerts on mass downloads (>50), any anonymous access, known tool usage, or Azure Storage key listing operations. Uses payload string matching for cloud-provider-specific field extraction since QRadar custom properties for these log sources vary by deployment.

Data Sources

Amazon AWS CloudTrail log source (DSM: Amazon AWS CloudTrail)Microsoft Office 365 log source (DSM: Microsoft Office 365)Microsoft Azure Activity Logs log source (DSM: Microsoft Azure)

Required Tables

events

False Positives & Tuning

Bulk S3 downloads by automated ETL pipelines using boto3 or aws-cli service accounts during scheduled data warehouse refresh jobs creating high download_count values
SharePoint library offline sync by legitimate users downloading entire team site document libraries triggering the 50-file threshold
Routine Azure Storage access key rotation by platform operations team during change management windows generating storage_key_access hits

Download portable Sigma rule (.yml)

Other platforms for T1530

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

Test 1AWS S3 Anonymous Bucket Enumeration and Download
Expected signal: AWS CloudTrail will record ListObjects and GetObject events with userIdentity.type=Anonymous and userIdentity.principalId=anonymous. sourceIPAddress will be the tester's public IP. No ARN present in the identity block. S3 server access logs (if enabled) will show - as the requester.
Test 2AWS S3 Bulk Object Download with Valid Credentials
Expected signal: CloudTrail records: ListObjects (eventName=ListObjectsV2) and multiple GetObject events from the same source IP within a short window. userIdentity.type=IAMUser or AssumedRole with the test key ARN. requestParameters.bucketName contains the target bucket. High event volume triggers the 50+ GetObject threshold in the SPL detection.
Test 3Rclone Cloud Storage Sync (Exfiltration Tool Pattern)
Expected signal: CloudTrail GetObject and ListObjectsV2 events with userAgent containing 'rclone/' version string (e.g., 'rclone/v1.65.0'). High-volume sequential GetObject events for each file in the bucket. The rclone.conf file will contain plaintext cloud credentials at ~/.config/rclone/rclone.conf — a forensic artifact.
Test 4AADInternals OneDrive File Collection
Expected signal: Microsoft 365 OfficeActivity logs: FileDownloaded operations with UserId matching the authenticated account, OfficeWorkload=OneDrive. UserAgent will identify AADInternals. ClientIP will be the tester's IP. Events appear in the Unified Audit Log within minutes. EntraID SigninLogs will show the authentication used to obtain the access token.

Last updated: 2026-04-21 Research depth: deep

References (11)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1530 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Related Techniques

T1078.004Cloud Accounts T1552.001Credentials In Files T1552.005Cloud Instance Metadata API T1119Automated Collection T1537Transfer Data to Cloud Account T1213.002Sharepoint T1190Exploit Public-Facing Application T1560.001Archive via Utility T1567.002Exfiltration to Cloud Storage

Detect Data from Cloud Storage in IBM QRadar

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1530

Testing Methodology

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Collection

Popular Detections

MITRE ATT&CK

QRadar Detection Query

Data Sources

Required Tables

False Positives & Tuning

Other platforms for T1530

Testing Methodology

Unlock Pro Content

Related Detections

Related Techniques

Same Tactic: Collection

Popular Detections

Get new detections in your inbox