1. Home
  2. Data Components
  3. Cloud Service Metadata

Cloud Service Metadata

Cloud service metadata refers to the contextual and descriptive information about cloud services, including their name, type, purpose, configuration, and activity around them. This metadata is essential for understanding the roles and functions of cloud services, their operational status, and their potential misuse. Examples:

  • Azure Service Metadata: Metadata describing a resource in Azure, such as an Azure Storage Account or a Virtual Machine.
  • AWS Cloud Service Metadata: Metadata for an AWS EC2 instance collected using the DescribeInstances API call.
  • Google Cloud Service Metadata: Metadata for a Google Compute Engine instance collected using gcloud compute instances describe.
  • Office 365 Metadata: Metadata about an Office 365 SharePoint site.

This data component can be collected through the following measures:

Enable Cloud Metadata APIs

  • Leverage APIs provided by cloud providers to query metadata about services.
    • AWS: Use AWS CLI or SDKs for DescribeInstances, DescribeBuckets, etc.
    • Azure: Use az resource list or SDKs.
    • Google Cloud: Use gcloud compute instances describe or related commands.
    • Office 365: Use Microsoft Graph API.

Centralize Metadata in a Security Platform

  • Aggregate metadata from multiple clouds into a SIEM or CSPM (Cloud Security Posture Management) tool.
  • Example: Integrate AWS CloudTrail with Splunk or Azure Monitor with Sentinel.

Enable Continuous Monitoring

  • Set up automated jobs or workflows to regularly query and update metadata.
  • Example: Use AWS Config to track resource configurations and changes over time.

Configure Access and Logging

  • Enable logging for API queries to ensure access and usage of metadata are monitored.
  • Example: Use AWS CloudTrail to log API activity for metadata queries.

Use Cloud Security Tools

  • Employ CSPM tools like Prisma Cloud, Wiz, or Dome9 to gather metadata and identify misconfigurations.
  • Example: Prisma Cloud provides consolidated views of metadata for resources across AWS, Azure, and GCP.
ID: DC0070
Domains: Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 21 October 2025

Log Sources

Name Channel
AWS:CloudTrail rds:ExecuteStatement: Large data access via RDS or Aurora with unknown session context
AWS:CloudWatch unexpected IAM user or role assuming privileges for instance/snapshot operations
CloudTrail:GetInstanceIdentityDocument GetInstanceIdentityDocument
CloudTrail:GetSecretValue API call to retrieve secret or access key
CloudTrail:InvokeFunction InvokeFunction
m365:exchange Cmdlet - New-InboxRule
m365:sharepoint Multiple file download operations on a site by a privileged account in a short time window
m365:unified New-InboxRule, Set-InboxRule
saas:github repo.download, repo.clone, oauth.authorize, repo.getContent
saas:github CI/CD secret accessed or exported

Detection Strategy

ID Name Technique Detected
DET0415 Application Exhaustion Flood Detection Across Platforms T1499.003
DET0412 Detect Access or Search for Unsecured Credentials Across Platforms T1552
DET0001 Detect Access to Cloud Instance Metadata API (IaaS) T1552.005
DET0500 Detecting Abnormal SharePoint Data Mining by Privileged or Rare Users T1213.002
DET0263 Detecting Bulk or Anomalous Access to Private Code Repositories via SaaS Platforms T1213.003
DET0308 Detection Strategy for Modify Cloud Compute Infrastructure T1578
DET0533 Detection Strategy for Poisoned Pipeline Execution via SaaS CI/CD Workflows T1677
DET0576 Email Forwarding Rule Abuse Detection Across Platforms T1114.003
DET0242 Suspicious Database Access and Dump Activity Across Environments (T1213.006) T1213.006