T1619 Cloud Storage Object Discovery Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

let LookbackWindow = 1h;
let HighVolumeThreshold = 50;
let UniqueBucketThreshold = 5;
// AWS S3 enumeration via CloudTrail
let AWSS3Discovery = AWSCloudTrail
| where TimeGenerated >= ago(LookbackWindow)
| where EventName in ("ListBuckets", "ListObjects", "ListObjectsV2", "ListObjectVersions", "ListMultipartUploads", "GetBucketAcl", "GetBucketPolicy", "GetBucketLocation")
| extend UserIdentity = coalesce(UserIdentityArn, UserIdentityUserName, UserIdentityPrincipalid)
| summarize
    OperationCount = count(),
    UniqueBuckets = dcount(tostring(RequestParameters)),
    Operations = make_set(EventName),
    SourceIPs = make_set(SourceIpAddress),
    AWSRegions = make_set(AWSRegion),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by UserIdentity, UserIdentityType, UserAgent, bin(TimeGenerated, 10m)
| where OperationCount > HighVolumeThreshold or UniqueBuckets > UniqueBucketThreshold
| extend Platform = "AWS", Severity = iff(OperationCount > 200 or UniqueBuckets > 20, "High", "Medium")
| project TimeGenerated, Platform, UserIdentity, UserIdentityType, UserAgent, OperationCount, UniqueBuckets, Operations, SourceIPs, AWSRegions, FirstSeen, LastSeen, Severity;
// Azure Blob Storage enumeration
let AzureBlobDiscovery = StorageBlobLogs
| where TimeGenerated >= ago(LookbackWindow)
| where OperationName in ("ListBlobs", "ListContainers", "GetContainerProperties", "GetBlobServiceProperties", "ListBlobsFlatSegment", "ListBlobsHierarchySegment")
| summarize
    OperationCount = count(),
    UniqueContainers = dcount(Uri),
    Operations = make_set(OperationName),
    SourceIPs = make_set(CallerIpAddress),
    Accounts = make_set(AccountName),
    FirstSeen = min(TimeGenerated),
    LastSeen = max(TimeGenerated)
    by AuthenticationType, RequesterObjectId, UserAgentHeader, bin(TimeGenerated, 10m)
| where OperationCount > HighVolumeThreshold or UniqueContainers > UniqueBucketThreshold
| extend
    Platform = "Azure",
    Severity = iff(OperationCount > 200 or UniqueContainers > 20, "High", "Medium"),
    UserIdentity = coalesce(RequesterObjectId, "Anonymous"),
    UserAgent = UserAgentHeader,
    AWSRegions = dynamic([])
| project TimeGenerated, Platform, UserIdentity, AuthenticationType, UserAgent, OperationCount, UniqueContainers, Operations, SourceIPs, Accounts, FirstSeen, LastSeen, Severity;
// Union and surface results
AWSS3Discovery
| union AzureBlobDiscovery
| sort by OperationCount desc

high severity medium confidence

Data Sources

AWS CloudTrail (via Microsoft Sentinel AWSCloudTrail connector) Azure Storage Analytics / Diagnostic Logs (StorageBlobLogs)

Required Tables

AWSCloudTrail StorageBlobLogs

False Positives

Legitimate cloud-native backup solutions (e.g., Veeam, AWS Backup, Azure Backup) that enumerate storage objects on a schedule
Data lake or ETL pipeline services (Azure Data Factory, AWS Glue) that list objects as part of normal pipeline execution
Security posture management tools (Prisma Cloud, Wiz, AWS Security Hub) performing periodic storage inventory scans
DevOps CI/CD pipelines that sync or audit S3/Blob content as part of deployment workflows
Cloud cost optimization tools (CloudHealth, Spot.io) enumerating storage for billing analysis

Splunk

spl

index=* (sourcetype="aws:cloudtrail" OR sourcetype="azure:monitor:storage:blob")
| eval is_aws=if(sourcetype="aws:cloudtrail", 1, 0)
| eval is_azure=if(sourcetype="azure:monitor:storage:blob", 1, 0)
| eval event_action=coalesce(eventName, operationName)
| search event_action IN (
    "ListBuckets", "ListObjects", "ListObjectsV2", "ListObjectVersions",
    "ListMultipartUploads", "GetBucketAcl", "GetBucketPolicy", "GetBucketLocation",
    "ListBlobs", "ListContainers", "GetContainerProperties",
    "GetBlobServiceProperties", "ListBlobsFlatSegment"
  )
| eval actor_identity=coalesce(userIdentity.arn, userIdentity.userName, properties.requesterObjectId, "unknown")
| eval source_ip=coalesce(sourceIPAddress, callerIpAddress, "unknown")
| eval user_agent=coalesce(userAgent, properties.userAgentHeader, "unknown")
| eval target_resource=coalesce(requestParameters.bucketName, uri, "unknown")
| bin _time span=10m
| stats
    count AS operation_count,
    dc(target_resource) AS unique_resources,
    values(event_action) AS operations_performed,
    values(source_ip) AS source_ips,
    values(user_agent) AS user_agents,
    min(_time) AS first_seen,
    max(_time) AS last_seen
    by actor_identity, _time
| where operation_count > 50 OR unique_resources > 5
| eval severity=if(operation_count > 200 OR unique_resources > 20, "high", "medium")
| eval alert_title="Cloud Storage Object Discovery: " . actor_identity . " performed " . operation_count . " listing operations across " . unique_resources . " resources"
| table _time, actor_identity, operation_count, unique_resources, operations_performed, source_ips, user_agents, first_seen, last_seen, severity, alert_title
| sort - operation_count

high severity medium confidence

Data Sources

AWS CloudTrail (Splunk AWS Add-on) Azure Monitor Storage Blob Diagnostics (Splunk Add-on for Microsoft Cloud Services)

Required Sourcetypes

aws:cloudtrail azure:monitor:storage:blob

False Positives

Scheduled backup agents (AWS Backup, third-party tools) performing nightly or hourly storage audits
Data pipeline services (AWS Glue crawlers, Azure Data Factory triggers) that enumerate source containers before processing
Cloud security scanning tools (Prowler, ScoutSuite, Wiz) performing compliance inventory runs
Storage migration projects where large-scale enumeration is expected and authorized
Monitoring agents configured to track object counts or storage metrics across all buckets

Elastic Security (EQL)

eql

any where event.dataset in ("aws.cloudtrail", "azure.activitylogs", "gcp.audit") and (event.action in ("ListObjectsV2", "ListObjects", "ListBuckets", "HeadBucket", "GetBucketAcl", "GetBucketPolicy", "ListAllMyBuckets") or (event.dataset : "azure.activitylogs" and azure.activitylogs.operation_name : "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read"))

high severity medium confidence

Data Sources

AWS CloudTrail Azure Activity Logs GCP Audit Logs

Required Tables

logs-aws.cloudtrail-* logs-azure.activitylogs-* logs-gcp.audit-*

False Positives

Legitimate cloud-native backup solutions (e.g., Veeam, AWS Backup, Azure Backup) that enumerate storage objects on a schedule
Data lake or ETL pipeline services (Azure Data Factory, AWS Glue) that list objects as part of normal pipeline execution
Security posture management tools (Prisma Cloud, Wiz, AWS Security Hub) performing periodic storage inventory scans
DevOps CI/CD pipelines that sync or audit S3/Blob content as part of deployment workflows
Cloud cost optimization tools (CloudHealth, Spot.io) enumerating storage for billing analysis

IBM QRadar (AQL)

sql

SELECT username as "Username", sourceip as "SourceIP", UTF8(payload) as "APICall", devicetime as "EventTime", CASE WHEN UTF8(payload) ILIKE '%ListBuckets%' OR UTF8(payload) ILIKE '%ListAllMyBuckets%' THEN 80 WHEN UTF8(payload) ILIKE '%ListObjectsV2%' AND eventcount > 100 THEN 75 WHEN UTF8(payload) ILIKE '%GetBucketAcl%' OR UTF8(payload) ILIKE '%GetBucketPolicy%' THEN 70 ELSE 50 END as "RiskScore" FROM events WHERE LOGSOURCETYPENAME(devicetype) IN ('Amazon AWS CloudTrail', 'Microsoft Azure', 'Google Cloud Platform') AND (UTF8(payload) ILIKE '%ListObjects%' OR UTF8(payload) ILIKE '%ListBuckets%' OR UTF8(payload) ILIKE '%GetBucketAcl%' OR UTF8(payload) ILIKE '%StorageRead%') ORDER BY "RiskScore" DESC LAST 24 HOURS

high severity medium confidence

Data Sources

Amazon AWS CloudTrail Microsoft Azure Google Cloud Platform

Required Tables

events

False Positives

Legitimate cloud-native backup solutions (e.g., Veeam, AWS Backup, Azure Backup) that enumerate storage objects on a schedule
Data lake or ETL pipeline services (Azure Data Factory, AWS Glue) that list objects as part of normal pipeline execution
Security posture management tools (Prisma Cloud, Wiz, AWS Security Hub) performing periodic storage inventory scans
DevOps CI/CD pipelines that sync or audit S3/Blob content as part of deployment workflows
Cloud cost optimization tools (CloudHealth, Spot.io) enumerating storage for billing analysis

Sumo Logic CSE

sql

_sourceCategory=aws/cloudtrail OR _sourceCategory=azure/storage | json auto | where event_name in ("ListObjectsV2", "ListObjects", "ListBuckets", "GetBucketAcl", "GetBucketPolicy") or operation_name matches "*blobs/read*" | if(event_name = "ListBuckets" or event_name = "ListAllMyBuckets", "High", if(count > 100, "High", "Medium")) as RiskLevel | stats count by user_identity_arn, src_ip_addr, event_name, aws_region, RiskLevel | sort by count desc

high severity medium confidence

Data Sources

AWS CloudTrail Azure Activity Logs

Required Tables

aws/cloudtrail azure/storage gcp/audit

False Positives

Legitimate cloud-native backup solutions (e.g., Veeam, AWS Backup, Azure Backup) that enumerate storage objects on a schedule
Data lake or ETL pipeline services (Azure Data Factory, AWS Glue) that list objects as part of normal pipeline execution
Security posture management tools (Prisma Cloud, Wiz, AWS Security Hub) performing periodic storage inventory scans
DevOps CI/CD pipelines that sync or audit S3/Blob content as part of deployment workflows
Cloud cost optimization tools (CloudHealth, Spot.io) enumerating storage for billing analysis

Google Chronicle / SecOps

yaral

rule detect_cloud_storage_discovery {
  meta:
    author = "Argus"
    description = "Detects broad cloud storage enumeration"
    severity = "HIGH"
    technique = "T1619"
  events:
    $e.metadata.event_type = "USER_RESOURCE_ACCESS"
    $e.metadata.product_name = "AWS CloudTrail"
    (
      $e.metadata.product_event_type = "ListObjectsV2" or
      $e.metadata.product_event_type = "ListBuckets" or
      $e.metadata.product_event_type = "GetBucketAcl" or
      $e.metadata.product_event_type = "ListAllMyBuckets"
    )
  match:
    $e.principal.user.userid over 5m
  condition:
    #e > 100
}

high severity medium confidence

Data Sources

AWS CloudTrail Azure Activity Logs GCP Audit Logs

Required Tables

USER_RESOURCE_ACCESS USER_UNCATEGORIZED

False Positives

Legitimate cloud-native backup solutions (e.g., Veeam, AWS Backup, Azure Backup) that enumerate storage objects on a schedule
Data lake or ETL pipeline services (Azure Data Factory, AWS Glue) that list objects as part of normal pipeline execution
Security posture management tools (Prisma Cloud, Wiz, AWS Security Hub) performing periodic storage inventory scans
DevOps CI/CD pipelines that sync or audit S3/Blob content as part of deployment workflows
Cloud cost optimization tools (CloudHealth, Spot.io) enumerating storage for billing analysis

CrowdStrike LogScale (CQL)

cql

#event_simpleName=CloudApiActivity
| event_action = /ListObjects|ListBuckets|GetBucketAcl|GetBucketPolicy|StorageRead/i
| case {
    event_action = /ListBuckets|ListAllMyBuckets/i | EnumType := "Bucket Discovery";
    event_action = /ListObjects/i | EnumType := "Object Discovery";
    event_action = /GetBucketAcl|GetBucketPolicy/i | EnumType := "Policy Discovery";
    * | EnumType := "Storage Enumeration"
  }
| stats count() as ApiCallCount by UserName, CloudAccountId, EnumType
| where ApiCallCount > 50
| table([@timestamp, UserName, CloudAccountId, EnumType, ApiCallCount])

high severity medium confidence

Data Sources

CloudApiActivity (Falcon Horizon)

Required Tables

CloudApiActivity DetectionSummaryEvent

False Positives

Legitimate cloud-native backup solutions (e.g., Veeam, AWS Backup, Azure Backup) that enumerate storage objects on a schedule
Data lake or ETL pipeline services (Azure Data Factory, AWS Glue) that list objects as part of normal pipeline execution
Security posture management tools (Prisma Cloud, Wiz, AWS Security Hub) performing periodic storage inventory scans
DevOps CI/CD pipelines that sync or audit S3/Blob content as part of deployment workflows
Cloud cost optimization tools (CloudHealth, Spot.io) enumerating storage for billing analysis

Cloud Storage Object Discovery

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections