Detection coverage in DCV across AWS, Azure and GCP for Defacement, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-04-24.
Adversaries may modify visual content available internally or externally to an enterprise network, thus affecting the integrity of the original content. Reasons for Defacement include delivering messaging, intimidation, or claiming (possibly false) credit for an intrusion. Disturbing or offensive images may be used as a part of Defacement in order to cause user discomfort, or to pressure compliance with accompanying messages.
Platforms: Windows, IaaS, Linux, macOS, ESXi.
DCV maps 25 detections across 2 cloud providers to T1491. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS Config Rules | AWS | 16 | 0.80 |
| AWS GuardDuty | AWS | 8 | 0.85 |
| GCP Chronicle | GCP | 1 | 0.85 |
CloudSigma ships 3 production-ready Sigma rules that detect T1491 across 3 platforms. Every rule below is validated against its source SIEM dialect before publication.
High-fidelity detection of T1491 requires correlation
across multiple events. For example, a credential-validation call
followed by a reconnaissance chain (List* /
Describe*) within a short window from an unfamiliar
source. A single-event Sigma rule on
GetCallerIdentity alone fires constantly on
legitimate CLI, SDK and CI/CD activity.
Where you have a specific advisory, vulnerability disclosure or blog post that exercises T1491-style abuse, CloudSigma can generate a starting-point rule from that input. You then deploy it in your SIEM and combine it with the SIEM's native correlation features (timeframe joins across users, source-IP anomalies, impossible-travel checks). For T1491 specifically the generated rule is rarely sufficient on its own; pair it with the SIEM-side correlation logic before enabling in production.