Last reviewed:
Detection coverage in DCV across AWS, Azure and GCP for Data from Information Repositories, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-05-30.
Adversaries may leverage information repositories to mine valuable information. Information repositories are tools that allow for storage of information, typically to facilitate collaboration or information sharing between users, and can store a wide variety of data that may aid adversaries in further objectives, such as Credential Access, Lateral Movement, or Defense Evasion, or direct access to the target information. Adversaries may also abuse external sharing features to share sensitive documents with recipients outside of the organization (i.e., Transfer Data to Cloud Account).
The following is a brief list of example information that may hold potential value to an adversary and may also be found on an information repository:
* Policies, procedures, and standards * Physical / logical network diagrams * System architecture diagrams * Technical system documentation * Testing / development credentials (i.e., Unsecured Credentials) * Work / project schedules * Source code snippets * Links to network shares and other internal resources * Contact or other sensitive information about business partners and customers, including personally identifiable information (PII)
Information stored in a repository may vary based on the specific instance or environment. Specific common information repositories include the following:
* Storage services such as IaaS databases, enterprise databases, and more specialized platforms such as customer relationship management (CRM) databases * Collaboration platforms such as SharePoint, Confluence, and code repositories * Messaging platforms such as Slack and Microsoft Teams
In some cases, information repositories have been improperly secured, typically by unintentionally allowing for overly-broad access by all users or even public access to unauthenticated users. This is particularly common with cloud-native or cloud-hosted services, such as AWS Relational Database Service (RDS), Redis, or ElasticSearch.
Platforms: Linux, Windows, macOS, SaaS, IaaS, Office Suite.
DCV maps 1 detection across 1 cloud provider to T1213. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| GCP Chronicle | GCP | 1 | 0.85 |
CloudSigma has coverage metadata for 1 T1213 rule across 3 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1213, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
Detection coverage in DCV across AWS, Azure and GCP for Data from Information Repositories, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-05-30.
DCV maps 1 cloud-native detections to T1213 across 1 cloud providers, drawn from GCP Chronicle.
T1213 is part of MITRE ATT&CK TA0009 Collection: How adversaries gather data of interest before exfiltration.
CloudSigma ships 3 validated Sigma rules for T1213 across AWS CloudTrail, Azure Activity and GCP Audit Logs. Each rule is validated against its source SIEM dialect before publication.