Detect Cloud Infrastructure Discovery in Sumo Logic CSE
This detection identifies adversaries enumerating cloud infrastructure resources across AWS, Azure, and GCP environments. Attackers leverage cloud provider APIs and CLI tools to discover compute instances, storage buckets, databases, snapshots, and network configurations using compromised credentials. The detection monitors for high-volume or broad-scope API calls characteristic of automated enumeration tools like Pacu, bulk read operations across multiple resource types in short time windows, and enumeration patterns associated with threat actors like Scattered Spider and Storm-0501 who use cloud discovery to identify high-value targets before establishing persistence or staging data exfiltration.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1580 Cloud Infrastructure Discovery
- Canonical reference
- https://attack.mitre.org/techniques/T1580/
Sumo Detection Query
_sourceCategory=*azure*activitylog* OR _sourceCategory=*aws*cloudtrail*
| json auto
| where matches(operationName, "(?i)(snapshot|virtualMachine|instance|compute|create|delete|modify)")
| eval RiskLevel = if(matches(operationName, "(?i)(delete|destroy|terminate)"), "High",
if(matches(operationName, "(?i)(snapshot|create)"), "Medium", "Low"))
| where RiskLevel in ("High","Medium")
| eval AlertType = if(matches(operationName, "(?i)delete"), "Cloud Resource Deletion",
if(matches(operationName, "(?i)snapshot"), "Snapshot Operation",
if(matches(operationName, "(?i)create"), "Resource Creation", "Cloud Modification")))
| where caller != "azure-backup" and !matches(caller, "(?i)automation")
| stats count AS OpCount, values(operationName) AS Operations, values(RiskLevel) AS RiskLevels by _sourceHost, caller, resourceGroup
| sort by OpCount descSumo Logic detection for Cloud Infrastructure Discovery. Detects high-volume or broad-scope cloud infrastructure enumeration across AWS and Azure by correlating API call volumes and API diversity from a single identity within a 15-minute window. Fires when
Data Sources
Required Tables
False Positives & Tuning
- Authorized cloud infrastructure audits by cloud management platforms
- DevOps tools enumerating resources for Terraform or CloudFormation state
- Security compliance tools performing cloud posture assessments
- Automated billing or capacity planning tools scanning cloud resources
Other platforms for T1580
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS Infrastructure Enumeration via CLI
Expected signal: CloudTrail management events for: GetCallerIdentity, DescribeInstances (multiple regions), ListBuckets, GetPublicAccessBlock, GetBucketAcl, DescribeDBInstances, DescribeKeyPairs, DescribeSecurityGroups — all appearing within a short time window from the same identity and source IP
- Test 2Azure Infrastructure Enumeration via Azure CLI
Expected signal: Azure Activity Log entries for operations: Microsoft.Compute/virtualMachines/read, Microsoft.Storage/storageAccounts/read, Microsoft.Sql/servers/read, Microsoft.Network/virtualNetworks/read, Microsoft.KeyVault/vaults/read, Microsoft.ContainerService/managedClusters/read, Microsoft.Resources/subscriptions/resourcegroups/read — all from same caller within a short window
- Test 3Automated Cloud Enumeration with Pacu (AWS Exploitation Framework)
Expected signal: CloudTrail management events with UserAgent containing 'pacu' or 'Boto3' (Pacu uses Boto3 SDK). Expect 50+ API calls across ec2:DescribeInstances, ec2:DescribeVolumes, ec2:DescribeSnapshots, s3:ListBuckets, iam:ListUsers, iam:ListRoles, iam:ListPolicies, rds:DescribeDBInstances, lambda:ListFunctions within minutes from a single identity
References (10)
- https://attack.mitre.org/techniques/T1580/
- https://docs.aws.amazon.com/AWSEC2/latest/APIReference/API_DescribeInstances.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_ListBuckets.html
- https://docs.aws.amazon.com/AmazonS3/latest/API/API_GetPublicAccessBlock.html
- https://github.com/RhinoSecurityLabs/pacu
- https://www.mandiant.com/resources/m-trends-2020
- https://expel.com/blog/finding-evil-in-aws/
- https://www.microsoft.com/en-us/security/blog/2023/10/25/octo-tempest-crosses-boundaries-to-facilitate-extortion-encryption-and-destruction/
- https://cloud.google.com/sdk/gcloud/reference/compute/instances/list
- https://learn.microsoft.com/en-us/cli/azure/vm?view=azure-cli-latest#az-vm-list
Unlock Pro Content
Get the full detection package for T1580 including response playbook, investigation guide, and atomic red team tests.