T1580

Cloud Infrastructure Discovery

Discovery Last updated:

This detection identifies adversaries enumerating cloud infrastructure resources across AWS, Azure, and GCP environments. Attackers leverage cloud provider APIs and CLI tools to discover compute instances, storage buckets, databases, snapshots, and network configurations using compromised credentials. The detection monitors for high-volume or broad-scope API calls characteristic of automated enumeration tools like Pacu, bulk read operations across multiple resource types in short time windows, and enumeration patterns associated with threat actors like Scattered Spider and Storm-0501 who use cloud discovery to identify high-value targets before establishing persistence or staging data exfiltration.

What is T1580 Cloud Infrastructure Discovery?

Cloud Infrastructure Discovery (T1580) maps to the Discovery tactic — the adversary is trying to figure out your environment in MITRE ATT&CK.

This page provides production-ready detection logic for Cloud Infrastructure Discovery, covering the data sources and telemetry it touches: AWS CloudTrail (via Sentinel connector), Azure Activity Logs. The queries below are rated high severity at medium confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Discovery
Technique
T1580 Cloud Infrastructure Discovery
Canonical reference
https://attack.mitre.org/techniques/T1580/
Microsoft Sentinel / Defender
kusto 
let AwsDiscoveryAPIs = dynamic([
    "DescribeInstances", "DescribeVolumes", "DescribeSnapshots", "DescribeImages",
    "ListBuckets", "HeadBucket", "GetPublicAccessBlock", "GetBucketAcl", "GetBucketPolicy",
    "DescribeDBInstances", "DescribeDBClusters", "DescribeDBSnapshots",
    "DescribeSecurityGroups", "DescribeVpcs", "DescribeSubnets",
    "DescribeNetworkInterfaces", "DescribeRouteTables", "DescribeInternetGateways",
    "ListFunctions", "ListTables", "DescribeClusters", "GetCallerIdentity",
    "ListRoles", "ListUsers", "ListBuckets", "DescribeLoadBalancers",
    "DescribeAutoScalingGroups", "DescribeKeyPairs"
]);
let AzureDiscoveryOps = dynamic([
    "microsoft.compute/virtualmachines/read",
    "microsoft.storage/storageaccounts/read",
    "microsoft.sql/servers/read",
    "microsoft.network/virtualnetworks/read",
    "microsoft.keyvault/vaults/read",
    "microsoft.containerservice/managedclusters/read",
    "microsoft.resources/subscriptions/resources/read"
]);
let lookback = 15m;
let BurstThreshold = 10;
let APISpreadThreshold = 5;
// AWS CloudTrail: detect burst enumeration
let AwsEnumeration = AWSCloudTrail
| where TimeGenerated >= ago(1h)
| where EventName in (AwsDiscoveryAPIs)
| where isnotempty(UserIdentityArn)
| summarize
    DiscoveryCount = count(),
    DistinctAPIs = dcount(EventName),
    APIList = make_set(EventName, 50),
    DistinctRegions = dcount(AWSRegion),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    SourceIPs = make_set(SourceIPAddress, 10)
    by UserIdentityArn, UserIdentityAccountId, bin(TimeGenerated, lookback)
| where DiscoveryCount >= BurstThreshold or DistinctAPIs >= APISpreadThreshold
| extend CloudProvider = "AWS", Identity = UserIdentityArn, AccountId = UserIdentityAccountId
| project TimeGenerated, CloudProvider, Identity, AccountId, DiscoveryCount, DistinctAPIs, APIList, DistinctRegions, SourceIPs, FirstSeen, LastSeen;
// Azure Activity: detect bulk read enumeration
let AzureEnumeration = AzureActivity
| where TimeGenerated >= ago(1h)
| where tolower(OperationNameValue) in (AzureDiscoveryOps)
| where ActivityStatusValue =~ "Success"
| summarize
    DiscoveryCount = count(),
    DistinctOps = dcount(OperationNameValue),
    OpList = make_set(OperationNameValue, 50),
    DistinctResourceGroups = dcount(ResourceGroup),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    SourceIPs = make_set(CallerIpAddress, 10)
    by Caller, SubscriptionId, bin(TimeGenerated, lookback)
| where DiscoveryCount >= BurstThreshold or DistinctOps >= APISpreadThreshold
| extend CloudProvider = "Azure", Identity = Caller, AccountId = SubscriptionId, APIList = OpList, DistinctRegions = DistinctResourceGroups
| project TimeGenerated, CloudProvider, Identity, AccountId, DiscoveryCount, DistinctAPIs = DistinctOps, APIList, DistinctRegions, SourceIPs, FirstSeen, LastSeen;
// Union and score
union AwsEnumeration, AzureEnumeration
| extend
    RiskScore = case(
        DistinctAPIs >= 10 and DiscoveryCount >= 50, 90,
        DistinctAPIs >= 7 and DiscoveryCount >= 20, 70,
        DistinctAPIs >= 5 or DiscoveryCount >= 10, 50,
        30
    )
| sort by RiskScore desc, DiscoveryCount desc
| project TimeGenerated, CloudProvider, Identity, AccountId, DiscoveryCount, DistinctAPIs, APIList, DistinctRegions, SourceIPs, FirstSeen, LastSeen, RiskScore

Detects high-volume or broad-scope cloud infrastructure enumeration across AWS and Azure by correlating API call volumes and API diversity from a single identity within a 15-minute window. Fires when an identity makes 10+ discovery API calls or calls 5+ distinct discovery APIs in the window, which is characteristic of automated enumeration tools. Scores risk based on API spread and volume to prioritize true positives.

high severity medium confidence

Data Sources

AWS CloudTrail (via Sentinel connector) Azure Activity Logs

Required Tables

AWSCloudTrail AzureActivity

False Positives

  • Legitimate cloud management platforms (Terraform, Pulumi, CloudFormation) performing state refresh that enumerate all resources at plan/apply time
  • Security posture management tools (Wiz, Prisma Cloud, Orca) performing scheduled asset inventory scans across the entire environment
  • Cloud cost management and optimization tools (CloudHealth, Spot.io) querying instance and storage metadata for billing analysis
  • CI/CD pipelines with infrastructure-as-code that execute bulk describe operations during deployment validation
  • Cloud backup agents (Veeam, Cohesity) performing pre-backup infrastructure discovery to identify targets

Sigma rule & cross-platform mapping

The detection logic for Cloud Infrastructure Discovery (T1580) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource: 

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:

SigmaHQ rules for T1580 Sigma rules on detection.fyi

Platform-specific guides for T1580

Detect in Microsoft Sentinel (KQL) Detect in Splunk (SPL) Detect in Elastic Security (Elastic) Detect in IBM QRadar (QRadar) Detect in Sumo Logic CSE (Sumo) Detect in Google Chronicle (YARA-L) Detect in CrowdStrike LogScale (LogScale)
Last updated: 2026-03-19 Research depth: deep
References (10)

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS Infrastructure Enumeration via CLI

    Expected signal: CloudTrail management events for: GetCallerIdentity, DescribeInstances (multiple regions), ListBuckets, GetPublicAccessBlock, GetBucketAcl, DescribeDBInstances, DescribeKeyPairs, DescribeSecurityGroups — all appearing within a short time window from the same identity and source IP

  2. Test 2Azure Infrastructure Enumeration via Azure CLI

    Expected signal: Azure Activity Log entries for operations: Microsoft.Compute/virtualMachines/read, Microsoft.Storage/storageAccounts/read, Microsoft.Sql/servers/read, Microsoft.Network/virtualNetworks/read, Microsoft.KeyVault/vaults/read, Microsoft.ContainerService/managedClusters/read, Microsoft.Resources/subscriptions/resourcegroups/read — all from same caller within a short window

  3. Test 3Automated Cloud Enumeration with Pacu (AWS Exploitation Framework)

    Expected signal: CloudTrail management events with UserAgent containing 'pacu' or 'Boto3' (Pacu uses Boto3 SDK). Expect 50+ API calls across ec2:DescribeInstances, ec2:DescribeVolumes, ec2:DescribeSnapshots, s3:ListBuckets, iam:ListUsers, iam:ListRoles, iam:ListPolicies, rds:DescribeDBInstances, lambda:ListFunctions within minutes from a single identity

Unlock Pro Content

Get the full detection package for T1580 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Tactic Hub

TA0007Discovery

Related Techniques

T1526Cloud Service DiscoveryT1033System Owner/User DiscoveryT1087.004Cloud AccountT1530Data from Cloud StorageT1537Transfer Data to Cloud AccountT1078.004Cloud AccountsT1595.003Wordlist ScanningT1069.003Cloud Groups

Same Tactic: Discovery

Popular Detections