1. Home
  2. Data Components
  3. Cloud Service Metadata

Cloud Service Metadata

Cloud service metadata refers to the contextual and descriptive information about cloud services, including their name, type, purpose, configuration, and activity around them. This metadata is essential for understanding the roles and functions of cloud services, their operational status, and their potential misuse. Examples:

  • Azure Service Metadata: Metadata describing a resource in Azure, such as an Azure Storage Account or a Virtual Machine.
  • AWS Cloud Service Metadata: Metadata for an AWS EC2 instance collected using the DescribeInstances API call.
  • Google Cloud Service Metadata: Metadata for a Google Compute Engine instance collected using gcloud compute instances describe.
  • Office 365 Metadata: Metadata about an Office 365 SharePoint site.
ID: DC0070
Domains: Enterprise
Version: 2.0
Created: 20 October 2021
Last Modified: 12 November 2025

Log Sources

Name Channel
AWS:CloudTrail GetInstanceIdentityDocument
AWS:CloudTrail rds:ExecuteStatement: Large data access via RDS or Aurora with unknown session context
AWS:CloudTrail GetSecretValue
AWS:CloudTrail InvokeFunction
AWS:CloudWatch unexpected IAM user or role assuming privileges for instance/snapshot operations
m365:exchange Cmdlet - New-InboxRule
m365:sharepoint Multiple file download operations on a site by a privileged account in a short time window
m365:unified New-InboxRule, Set-InboxRule
saas:github repo.download, repo.clone, oauth.authorize, repo.getContent
saas:github CI/CD secret accessed or exported

Detection Strategy

ID Name Technique Detected
DET0415 Application Exhaustion Flood Detection Across Platforms T1499.003
DET0412 Detect Access or Search for Unsecured Credentials Across Platforms T1552
DET0001 Detect Access to Cloud Instance Metadata API (IaaS) T1552.005
DET0500 Detecting Abnormal SharePoint Data Mining by Privileged or Rare Users T1213.002
DET0263 Detecting Bulk or Anomalous Access to Private Code Repositories via SaaS Platforms T1213.003
DET0308 Detection Strategy for Modify Cloud Compute Infrastructure T1578
DET0533 Detection Strategy for Poisoned Pipeline Execution via SaaS CI/CD Workflows T1677
DET0576 Email Forwarding Rule Abuse Detection Across Platforms T1114.003
DET0242 Suspicious Database Access and Dump Activity Across Environments (T1213.006) T1213.006