Data Source: AWS Organizations

AWS Account Discovery By Rare User

Apr 10, 2026 · Domain: Cloud Domain: Identity Data Source: AWS Data Source: Amazon Web Services Data Source: AWS CloudTrail Data Source: AWS Organizations Data Source: AWS IAM Use Case: Threat Detection Tactic: Discovery Resources: Investigation Guide ·
Share on:

Identifies the first time, within a lookback window, an identity performs AWS Organizations or IAM account enumeration APIs. Attackers with compromised credentials often map the organization (accounts, OUs, roots, delegated admins) and account-level metadata (aliases, summary) using the AWS CLI or SDKs. This is a New Terms rule detecting a rare occurrence of the cloud.account.id and user.name pair for these actions.

Read More
AWS Discovery API Calls via CLI from a Single Resource

Apr 10, 2026 · Domain: Cloud Data Source: AWS Data Source: AWS EC2 Data Source: AWS IAM Data Source: AWS S3 Data Source: AWS Cloudtrail Data Source: AWS RDS Data Source: AWS Lambda Data Source: AWS STS Data Source: AWS KMS Data Source: AWS SES Data Source: AWS Cloudfront Data Source: AWS DynamoDB Data Source: AWS Elastic Load Balancing Data Source: AWS Organizations Use Case: Threat Detection Tactic: Discovery Resources: Investigation Guide ·
Share on:

Detects when a single AWS resource is running multiple read-only, discovery API calls in a 10-second window. This behavior could indicate an actor attempting to discover the AWS infrastructure using compromised credentials or a compromised instance. Adversaries may use this information to identify potential targets for further exploitation or to gain a better understanding of the target's infrastructure.

Read More

AWS Account Discovery By Rare User

AWS Discovery API Calls via CLI from a Single Resource