T1530 Sumo Logic CSE · Sumo

Detect Data from Cloud Storage in Sumo Logic CSE

Adversaries access data from cloud storage services including IaaS object stores (Amazon S3, Azure Blob Storage, Google Cloud Storage) and SaaS platform storage (OneDrive, SharePoint, Google Drive, Dropbox). Attack vectors include exploiting misconfigured public bucket access, using compromised credentials or SAS tokens, abusing overly permissive IAM roles, and automated tools such as Rclone, Pacu, and AADInternals for bulk extraction. Threat actors observed using this technique include Fox Kitten, APT42, HAFNIUM, Scattered Spider, and Storm-0501 — the latter specifically modifying Azure Storage account configurations to expose non-remotely accessible accounts for data exfiltration. Misconfigurations enabling anonymous or overly broad access have led to exposure of PII, medical records, and financial data at scale.

MITRE ATT&CK

Tactic
Collection
Technique
T1530 Data from Cloud Storage
Canonical reference
https://attack.mitre.org/techniques/T1530/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*cloudtrail* OR _sourceCategory=*o365* OR _sourceCategory=*azure*storage* OR _sourceCategory=*azure*activity*)
| json auto maxdepth 5 nodrop
| where (
    (eventSource="s3.amazonaws.com"
     AND eventName in ("GetObject","ListBucket","ListObjects","ListObjectsV2",
                       "GetBucketAcl","GetBucketPolicy","GetBucketPublicAccessBlock"))
    OR (Workload in ("OneDrive","SharePoint")
        AND Operation in ("FileDownloaded","FileSyncDownloadedFull",
                          "FileAccessed","FileCopied"))
    OR (resourceProvider="MICROSOFT.STORAGE"
        AND operationName in ("Microsoft.Storage/storageAccounts/write",
                              "Microsoft.Storage/storageAccounts/blobServices/write",
                              "Microsoft.Storage/storageAccounts/listKeys/action",
                              "Microsoft.Storage/storageAccounts/regenerateKey/action"))
  )
| eval platform = if(eventSource="s3.amazonaws.com", "AWS_S3",
                  if(!isNull(Workload), "Microsoft365",
                  if(!isNull(resourceProvider), "AzureStorage", "Unknown")))
| eval actor = if(!isNull(userIdentity.arn), userIdentity.arn,
              if(!isNull(userIdentity.userName), userIdentity.userName,
              if(!isNull(UserId), UserId,
              if(!isNull(caller), caller, "unknown"))))
| eval source_ip = if(!isNull(sourceIPAddress), sourceIPAddress,
                   if(!isNull(ClientIP), ClientIP,
                   if(!isNull(callerIpAddress), callerIpAddress, "unknown")))
| eval target_resource = if(!isNull(requestParameters.bucketName), requestParameters.bucketName,
                          if(!isNull(SiteUrl), SiteUrl,
                          if(!isNull(resourceId), resourceId, "unknown")))
| eval object_key = if(!isNull(requestParameters.key), requestParameters.key,
                    if(!isNull(SourceFileName), SourceFileName, "unknown"))
| eval user_agent_val = if(!isNull(userAgent), userAgent,
                         if(!isNull(UserAgent), UserAgent, ""))
| eval is_anonymous = if(userIdentity.type="AnonUser"
                        OR userIdentity.principalId="anonymous"
                        OR actor="anonymous", 1, 0)
| eval is_download = if(eventName="GetObject"
                       OR Operation in ("FileDownloaded","FileSyncDownloadedFull"), 1, 0)
| eval is_enum = if(eventName in ("ListBucket","ListObjects","ListObjectsV2",
                                  "GetBucketAcl","GetBucketPolicy",
                                  "GetBucketPublicAccessBlock"), 1, 0)
| eval is_config_change = if(operationName in
    ("Microsoft.Storage/storageAccounts/listKeys/action",
     "Microsoft.Storage/storageAccounts/regenerateKey/action",
     "Microsoft.Storage/storageAccounts/write"), 1, 0)
| eval tool_match = if(matches(user_agent_val,
    "(?i)(rclone|pacu|aadInternals|aws-cli\/|python-requests|boto3\/|s3browser|CloudBerry)"),
    1, 0)
| timeslice 30m
| stats
    count as total_requests,
    sum(is_download) as download_count,
    sum(is_enum) as enum_count,
    max(is_anonymous) as has_anonymous_access,
    max(tool_match) as known_tool_detected,
    max(is_config_change) as storage_config_change,
    dc(object_key) as unique_objects,
    values(target_resource) as target_resources,
    first(actor) as actor,
    first(user_agent_val) as user_agent_sample
    by _timeslice, source_ip, platform
| where download_count > 50
    OR has_anonymous_access = 1
    OR known_tool_detected = 1
    OR enum_count > 20
    OR storage_config_change = 1
| eval suspicion_score =
    (if(has_anonymous_access=1, 3, 0))
    + (if(download_count > 500, 3, if(download_count > 100, 2, if(download_count > 50, 1, 0))))
    + (if(enum_count > 20, 1, 0))
    + (if(known_tool_detected=1, 2, 0))
    + (if(storage_config_change=1, 2, 0))
| eval severity = if(has_anonymous_access=1 OR suspicion_score >= 5, "High",
                  if(suspicion_score >= 3, "Medium", "Low"))
| where suspicion_score > 0
| fields _timeslice, platform, actor, source_ip, target_resources,
         download_count, enum_count, unique_objects, has_anonymous_access,
         known_tool_detected, storage_config_change, user_agent_sample,
         suspicion_score, severity
| sort - _timeslice
high severity high confidence

Sumo Logic CSE query aggregating cloud storage access events from AWS S3 CloudTrail, Microsoft 365 OneDrive/SharePoint audit logs, and Azure Activity logs. Uses json auto parsing with coalesce-style eval chains to handle divergent field schemas across log sources. Computes suspicion scores based on anonymous access, bulk download volume, enumeration depth, known tool signatures, and Azure Storage config changes (Storm-0501 staging pattern). Provides actionable severity triage across all three cloud storage platforms in a single detection.

Data Sources

AWS CloudTrail (Sumo Logic AWS source: _sourceCategory=*cloudtrail*)Microsoft Office 365 Management Activity (Sumo Logic O365 source: _sourceCategory=*o365*)Azure Activity Logs (Sumo Logic Azure source: _sourceCategory=*azure*activity*)

Required Tables

Sumo Logic index (no explicit table; filter by _sourceCategory)

False Positives & Tuning

  • Enterprise data migration projects performing authorized bulk S3 sync using rclone or aws-cli service accounts will match the known_tool_detected condition and high download_count threshold
  • SharePoint Online throttling-retry patterns where a client retries file downloads due to transient errors can inflate download_count beyond the 50-file threshold for a single file session
  • Azure Storage key rotation automation scripts run by platform engineering during monthly credential rotation will trigger storage_config_change hits across multiple storage accounts simultaneously
Download portable Sigma rule (.yml)

Other platforms for T1530

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS S3 Anonymous Bucket Enumeration and Download

    Expected signal: AWS CloudTrail will record ListObjects and GetObject events with userIdentity.type=Anonymous and userIdentity.principalId=anonymous. sourceIPAddress will be the tester's public IP. No ARN present in the identity block. S3 server access logs (if enabled) will show - as the requester.

  2. Test 2AWS S3 Bulk Object Download with Valid Credentials

    Expected signal: CloudTrail records: ListObjects (eventName=ListObjectsV2) and multiple GetObject events from the same source IP within a short window. userIdentity.type=IAMUser or AssumedRole with the test key ARN. requestParameters.bucketName contains the target bucket. High event volume triggers the 50+ GetObject threshold in the SPL detection.

  3. Test 3Rclone Cloud Storage Sync (Exfiltration Tool Pattern)

    Expected signal: CloudTrail GetObject and ListObjectsV2 events with userAgent containing 'rclone/' version string (e.g., 'rclone/v1.65.0'). High-volume sequential GetObject events for each file in the bucket. The rclone.conf file will contain plaintext cloud credentials at ~/.config/rclone/rclone.conf — a forensic artifact.

  4. Test 4AADInternals OneDrive File Collection

    Expected signal: Microsoft 365 OfficeActivity logs: FileDownloaded operations with UserId matching the authenticated account, OfficeWorkload=OneDrive. UserAgent will identify AADInternals. ClientIP will be the tester's IP. Events appear in the Unified Audit Log within minutes. EntraID SigninLogs will show the authentication used to obtain the access token.

Last updated: 2026-04-21 Research depth: deep
References (11)

Unlock Pro Content

Get the full detection package for T1530 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1078.004Cloud AccountsT1552.001Credentials In FilesT1552.005Cloud Instance Metadata APIT1119Automated CollectionT1537Transfer Data to Cloud AccountT1213.002SharepointT1190Exploit Public-Facing ApplicationT1560.001Archive via UtilityT1567.002Exfiltration to Cloud Storage

Same Tactic: Collection

Popular Detections