Last reviewed:
Detection coverage in DCV across AWS, Azure and GCP for Cloud Service Discovery, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-06-05.
An adversary may attempt to enumerate the cloud services running on a system after gaining access. These methods can differ from platform-as-a-service (PaaS), to infrastructure-as-a-service (IaaS), or software-as-a-service (SaaS). Many services exist throughout the various cloud providers and can include Continuous Integration and Continuous Delivery (CI/CD), Lambda Functions, Entra ID, etc. They may also include security services, such as AWS GuardDuty and Microsoft Defender for Cloud, and logging services, such as AWS CloudTrail and Google Cloud Audit Logs.
Adversaries may attempt to discover information about the services enabled throughout the environment. Azure tools and APIs, such as the Microsoft Graph API and Azure Resource Manager API, can enumerate resources and services, including applications, management groups, resources and policy definitions, and their relationships that are accessible by an identity.
For example, Stormspotter is an open source tool for enumerating and constructing a graph for Azure resources and services, and Pacu is an open source AWS exploitation framework that supports several methods for discovering cloud services.
Adversaries may use the information gained to shape follow-on behaviors, such as targeting data or credentials from enumerated services or evading identified defenses through Disable or Modify Tools or Disable or Modify Cloud Log.
Platforms: IaaS, Identity Provider, Office Suite, SaaS.
DCV maps 10 detections across 2 cloud providers to T1526. Coverage by source:
| Source | Cloud | Findings mapped | Avg confidence |
|---|---|---|---|
| AWS GuardDuty | AWS | 9 | 0.87 |
| GCP Chronicle | GCP | 1 | 0.85 |
CloudSigma has coverage metadata for 10 T1526 rules across 3 platforms. The linked platform page remains the canonical rule surface; this page will embed an example after a rule clears the public embed bar.
CloudSigma has coverage metadata for T1526, but no public example rule clears the embed bar for this page yet. Generate a fresh starting-point rule in CloudSigma from the relevant advisory or threat-research input, then validate it against your local telemetry before enabling it in production.
Detection coverage in DCV across AWS, Azure and GCP for Cloud Service Discovery, plus the corresponding Sigma rules in the CloudSigma library. Source data refreshed 2026-06-05.
DCV maps 10 cloud-native detections to T1526 across 2 cloud providers, drawn from AWS GuardDuty and GCP Chronicle.
T1526 is part of MITRE ATT&CK TA0007 Discovery: How adversaries learn what they have access to.
CloudSigma ships 3 validated Sigma rules for T1526 across AWS CloudTrail, Azure Activity and GCP Audit Logs. Each rule is validated against its source SIEM dialect before publication.