T1580 Cloud Infrastructure Discovery Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let AwsDiscoveryAPIs = dynamic([
    "DescribeInstances", "DescribeVolumes", "DescribeSnapshots", "DescribeImages",
    "ListBuckets", "HeadBucket", "GetPublicAccessBlock", "GetBucketAcl", "GetBucketPolicy",
    "DescribeDBInstances", "DescribeDBClusters", "DescribeDBSnapshots",
    "DescribeSecurityGroups", "DescribeVpcs", "DescribeSubnets",
    "DescribeNetworkInterfaces", "DescribeRouteTables", "DescribeInternetGateways",
    "ListFunctions", "ListTables", "DescribeClusters", "GetCallerIdentity",
    "ListRoles", "ListUsers", "ListBuckets", "DescribeLoadBalancers",
    "DescribeAutoScalingGroups", "DescribeKeyPairs"
]);
let AzureDiscoveryOps = dynamic([
    "microsoft.compute/virtualmachines/read",
    "microsoft.storage/storageaccounts/read",
    "microsoft.sql/servers/read",
    "microsoft.network/virtualnetworks/read",
    "microsoft.keyvault/vaults/read",
    "microsoft.containerservice/managedclusters/read",
    "microsoft.resources/subscriptions/resources/read"
]);
let lookback = 15m;
let BurstThreshold = 10;
let APISpreadThreshold = 5;
// AWS CloudTrail: detect burst enumeration
let AwsEnumeration = AWSCloudTrail
| where TimeGenerated >= ago(1h)
| where EventName in (AwsDiscoveryAPIs)
| where isnotempty(UserIdentityArn)
| summarize
    DiscoveryCount = count(),
    DistinctAPIs = dcount(EventName),
    APIList = make_set(EventName, 50),
    DistinctRegions = dcount(AWSRegion),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    SourceIPs = make_set(SourceIPAddress, 10)
    by UserIdentityArn, UserIdentityAccountId, bin(TimeGenerated, lookback)
| where DiscoveryCount >= BurstThreshold or DistinctAPIs >= APISpreadThreshold
| extend CloudProvider = "AWS", Identity = UserIdentityArn, AccountId = UserIdentityAccountId
| project TimeGenerated, CloudProvider, Identity, AccountId, DiscoveryCount, DistinctAPIs, APIList, DistinctRegions, SourceIPs, FirstSeen, LastSeen;
// Azure Activity: detect bulk read enumeration
let AzureEnumeration = AzureActivity
| where TimeGenerated >= ago(1h)
| where tolower(OperationNameValue) in (AzureDiscoveryOps)
| where ActivityStatusValue =~ "Success"
| summarize
    DiscoveryCount = count(),
    DistinctOps = dcount(OperationNameValue),
    OpList = make_set(OperationNameValue, 50),
    DistinctResourceGroups = dcount(ResourceGroup),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated),
    SourceIPs = make_set(CallerIpAddress, 10)
    by Caller, SubscriptionId, bin(TimeGenerated, lookback)
| where DiscoveryCount >= BurstThreshold or DistinctOps >= APISpreadThreshold
| extend CloudProvider = "Azure", Identity = Caller, AccountId = SubscriptionId, APIList = OpList, DistinctRegions = DistinctResourceGroups
| project TimeGenerated, CloudProvider, Identity, AccountId, DiscoveryCount, DistinctAPIs = DistinctOps, APIList, DistinctRegions, SourceIPs, FirstSeen, LastSeen;
// Union and score
union AwsEnumeration, AzureEnumeration
| extend
    RiskScore = case(
        DistinctAPIs >= 10 and DiscoveryCount >= 50, 90,
        DistinctAPIs >= 7 and DiscoveryCount >= 20, 70,
        DistinctAPIs >= 5 or DiscoveryCount >= 10, 50,
        30
    )
| sort by RiskScore desc, DiscoveryCount desc
| project TimeGenerated, CloudProvider, Identity, AccountId, DiscoveryCount, DistinctAPIs, APIList, DistinctRegions, SourceIPs, FirstSeen, LastSeen, RiskScore

high severity medium confidence

Data Sources

AWS CloudTrail (via Sentinel connector) Azure Activity Logs

Required Tables

AWSCloudTrail AzureActivity

False Positives

Legitimate cloud management platforms (Terraform, Pulumi, CloudFormation) performing state refresh that enumerate all resources at plan/apply time
Security posture management tools (Wiz, Prisma Cloud, Orca) performing scheduled asset inventory scans across the entire environment
Cloud cost management and optimization tools (CloudHealth, Spot.io) querying instance and storage metadata for billing analysis
CI/CD pipelines with infrastructure-as-code that execute bulk describe operations during deployment validation
Cloud backup agents (Veeam, Cohesity) performing pre-backup infrastructure discovery to identify targets

Splunk

spl

index=* (sourcetype="aws:cloudtrail" OR sourcetype="azure:activity")
| eval cloud_provider=case(
    sourcetype="aws:cloudtrail", "AWS",
    sourcetype="azure:activity", "Azure",
    true(), "Unknown"
  )
| eval api_name=coalesce(eventName, operationName)
| eval identity=coalesce('userIdentity.arn', 'userIdentity.userName', caller)
| eval source_ip=coalesce(sourceIPAddress, callerIpAddress)
| search api_name IN (
    "DescribeInstances", "DescribeVolumes", "DescribeSnapshots", "DescribeImages",
    "ListBuckets", "HeadBucket", "GetPublicAccessBlock", "GetBucketAcl", "GetBucketPolicy",
    "DescribeDBInstances", "DescribeDBClusters", "DescribeDBSnapshots",
    "DescribeSecurityGroups", "DescribeVpcs", "DescribeSubnets",
    "DescribeNetworkInterfaces", "DescribeRouteTables", "ListFunctions",
    "ListRoles", "ListUsers", "GetCallerIdentity", "DescribeLoadBalancers",
    "DescribeAutoScalingGroups", "DescribeKeyPairs",
    "Microsoft.Compute/virtualMachines/read",
    "Microsoft.Storage/storageAccounts/read",
    "Microsoft.Sql/servers/read",
    "Microsoft.Network/virtualNetworks/read",
    "Microsoft.KeyVault/vaults/read"
  )
| bin _time span=15m
| stats
    count as discovery_count,
    dc(api_name) as distinct_apis,
    values(api_name) as api_list,
    dc(source_ip) as distinct_ips,
    values(source_ip) as source_ips,
    earliest(_time) as first_seen,
    latest(_time) as last_seen
    by cloud_provider, identity, _time
| where discovery_count >= 10 OR distinct_apis >= 5
| eval risk_score=case(
    distinct_apis >= 10 AND discovery_count >= 50, 90,
    distinct_apis >= 7 AND discovery_count >= 20, 70,
    distinct_apis >= 5 OR discovery_count >= 10, 50,
    true(), 30
  )
| eval time_window_minutes=round((last_seen - first_seen) / 60, 1)
| eval detection_window="15m"
| sort -risk_score -discovery_count
| table _time, cloud_provider, identity, source_ips, discovery_count, distinct_apis, api_list, time_window_minutes, risk_score

high severity medium confidence

Data Sources

AWS CloudTrail Azure Activity Logs

Required Sourcetypes

aws:cloudtrail azure:activity

False Positives

Infrastructure-as-code tools (Terraform, Pulumi) performing plan operations that enumerate current state before computing diffs
Cloud security posture management (CSPM) platforms performing scheduled compliance scans against all resource types
Automated backup solutions conducting pre-backup discovery to catalog cloud assets for protection scope
Cloud-native monitoring agents performing resource health checks across compute and storage tiers
DevOps automation pipelines validating environment state after deployments via bulk describe operations

Elastic Security (EQL)

eql

any where event.dataset : ("aws.cloudtrail", "azure.activitylogs")
  and event.action : ("DescribeInstances", "ListBuckets", "DescribeSecurityGroups",
                      "Microsoft.Compute/virtualMachines/read", "Microsoft.Network/virtualNetworks/read")

high severity medium confidence

Data Sources

AWS CloudTrail Azure Activity Logs

Required Tables

logs-aws.cloudtrail.* logs-azure.activitylogs.*

False Positives

Cloud administrators performing authorized inventory audits
Legitimate cloud management tools (AWS Systems Manager, Azure Monitor) enumerating resources
Security scanning tools performing authorized cloud configuration reviews
DevOps pipelines that enumerate resources for infrastructure-as-code state management

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime,'yyyy-MM-dd HH:mm:ss') AS EventTime,
  username, "Operation" AS CloudOperation,
  "ResourceType" AS CloudResource,
  "ResourceGroup", "SubscriptionId",
  CASE
    WHEN "Operation" ILIKE '%delete%' OR "Operation" ILIKE '%destroy%' THEN 90
    WHEN "Operation" ILIKE '%snapshot%' AND "ResultType" = 'Success' THEN 70
    WHEN "Operation" ILIKE '%create%instance%' THEN 60
    ELSE 40
  END AS RiskScore,
  CASE
    WHEN "Operation" ILIKE '%delete%' THEN 'Cloud Resource Deletion'
    WHEN "Operation" ILIKE '%snapshot%' THEN 'Snapshot Operation'
    WHEN "Operation" ILIKE '%create%' THEN 'Cloud Resource Creation'
    ELSE 'Cloud Modification'
  END AS AlertType
FROM events
WHERE LOGSOURCETYPENAME(devicetype) ILIKE '%azure%' OR LOGSOURCETYPENAME(devicetype) ILIKE '%cloudtrail%'
  AND ("Operation" ILIKE '%compute%' OR "Operation" ILIKE '%instance%' OR "Operation" ILIKE '%snapshot%' OR "Operation" ILIKE '%virtualMachine%')
  AND username NOT ILIKE '%azure%automation%'
  AND username NOT ILIKE '%backup%service%'
ORDER BY RiskScore DESC
LAST 1 HOURS

high severity medium confidence

Data Sources

Azure Activity Logs AWS CloudTrail

Required Tables

events

False Positives

Authorized cloud inventory scans by cloud management platforms
DevOps tools enumerating cloud resources for infrastructure management
Security scanners performing authorized cloud posture assessments
IT teams running regular cloud resource audits

Sumo Logic CSE

sql

_sourceCategory=*azure*activitylog* OR _sourceCategory=*aws*cloudtrail*
| json auto
| where matches(operationName, "(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify)")
| eval RiskLevel = if(matches(operationName, "(?i)(delete|destroy|terminate)"), "High",
    if(matches(operationName, "(?i)(snapshot|create)"), "Medium", "Low"))
| where RiskLevel in ("High","Medium")
| eval AlertType = if(matches(operationName, "(?i)delete"), "Cloud Resource Deletion",
    if(matches(operationName, "(?i)snapshot"), "Snapshot Operation",
    if(matches(operationName, "(?i)create"), "Resource Creation", "Cloud Modification")))
| where caller != "azure-backup" and !matches(caller, "(?i)automation")
| stats count AS OpCount, values(operationName) AS Operations, values(RiskLevel) AS RiskLevels by _sourceHost, caller, resourceGroup
| sort by OpCount desc

high severity medium confidence

Data Sources

Azure Activity Logs AWS CloudTrail

Required Tables

_sourceCategory=*azure* _sourceCategory=*aws*cloudtrail*

False Positives

Authorized cloud infrastructure audits by cloud management platforms
DevOps tools enumerating resources for Terraform or CloudFormation state
Security compliance tools performing cloud posture assessments
Automated billing or capacity planning tools scanning cloud resources

Google Chronicle / SecOps

yaral

rule T1580_cloud_infra_modification {
  meta:
    author = "Detection Engineering"
    description = "Detects suspicious cloud infrastructure modifications"
    severity = "high"
    confidence = "medium"
    mitre_attack = "T1580"
    reference = "https://attack.mitre.org/techniques/T1580/"

  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    re.regex($e.metadata.product_event_type, `(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify)`)
    not re.regex($e.principal.user.email_addresses, `(?i)(backup|automation|serviceaccount)`)

  condition:
    $e
}

high severity medium confidence

Data Sources

Google Chronicle SIEM Cloud audit logs (Azure/AWS)

Required Tables

USER_RESOURCE_ACCESS

False Positives

Cloud management platforms performing authorized scheduled resource inventories
Infrastructure-as-code tools enumerating cloud state for reconciliation
Security compliance scanners performing authorized cloud posture assessments
Automated cost optimization tools enumerating cloud resources

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "CloudResourceModification"
| OperationName = /(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify|revert)/
| ActorUserName != /(?i)(backup|automation|serviceaccount|scheduler)/
| groupBy([aid, ActorUserName, OperationName, ResourceType, ResourceName], function=[count(as=OpCount), min(timestamp, as=FirstSeen)])
| case {
    OperationName = /(?i)(delete|destroy|terminate)/ => RiskScore := "High";
    OperationName = /(?i)(snapshot|create)/ => RiskScore := "Medium";
    * => RiskScore := "Low";
  }
| where RiskScore in ("High", "Medium")
| table([ActorUserName, OperationName, ResourceType, ResourceName, OpCount, RiskScore, FirstSeen])
| sort(RiskScore)

high severity medium confidence

Data Sources

CrowdStrike Falcon Horizon (Cloud Security) Cloud audit logs

Required Tables

CloudResourceModification

False Positives

Cloud management platforms performing authorized resource discovery and inventories
Terraform or CloudFormation state reconciliation queries against cloud APIs
Authorized security posture management tools scanning cloud configurations
Automated billing, tagging, or compliance tools enumerating cloud resources

Cloud Infrastructure Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections