Unusual enumeration of services and resources through cloud APIs such as AWS CLI describe-*, Azure Resource Manager queries, or GCP project listings. Defender perspective includes anomalous API calls, unexpected volume of service enumeration, and correlation of discovery with recently compromised sessions.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Enumeration (DC0083) | AWS:CloudTrail | DescribeInstances, DescribeServices, ListFunctions: High frequency enumeration calls or unusual user agents performing discovery |
| User Account Metadata (DC0013) | AWS:CloudTrail | AssumeRole: Discovery actions tied to assumed identities outside of normal context |
| Field | Description |
|---|---|
| EnumerationRateThreshold | Rate of API calls used to enumerate services; tuned to reduce noise from automated inventory tools. |
| UserAgentFilter | Expected user agents for cloud management tools; deviations may indicate adversarial tools. |
Enumeration of directories, applications, or service principals through APIs such as Microsoft Graph or Okta API. Defender perspective includes unexpected listing of users, roles, applications, and abnormal access to identity management endpoints.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Enumeration (DC0083) | azure:audit | ListApplications, ListServicePrincipals: Large-scale queries against identity or application objects |
| Logon Session Creation (DC0067) | azure:signinlogs | InteractiveUserLogin: Discovery behavior linked to privileged logins from atypical IP ranges |
| Field | Description |
|---|---|
| QueryVolumeThreshold | Threshold for number of object enumeration calls before triggering detection. |
| PrivilegedRoleList | High-value identity roles (Global Admin, Application Admin) for targeted discovery monitoring. |
Discovery of SaaS services connected to productivity platforms (e.g., Microsoft 365, Google Workspace). Defender perspective includes unexpected enumeration of enabled services, API integrations, or OAuth applications tied to user accounts.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Enumeration (DC0083) | m365:unified | Get-MsolServicePrincipal, ListAppRoles: Service discovery operations executed by accounts not normally performing administrative tasks |
| Logon Session Creation (DC0067) | m365:signinlogs | UserLogin: Discovery operations shortly after account logins from new geolocations |
| Field | Description |
|---|---|
| MonitoredAppIntegrations | Specific Office Suite applications or plugins that may be enumerated or targeted. |
| GeoLocationDeviation | Geographic deviation threshold for discovery actions linked to recent logins. |
Discovery of connected SaaS applications, APIs, or configurations within platforms like Salesforce, Slack, or Zoom. Defender perspective includes enumeration of available integrations, abnormal querying of service metadata, and follow-on attempts to exploit or persist via discovered services.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Enumeration (DC0083) | saas:adminapi | ListIntegrations, ListServices: Repeated service discovery requests from accounts without administrative responsibilities |
| Logon Session Creation (DC0067) | saas:auth | Login, TokenGranted: Discovery actions tied to anomalous login sessions or tokens |
| Field | Description |
|---|---|
| IntegrationDiscoveryThreshold | Number of SaaS integrations enumerated before triggering detection. |
| ServiceAccountScope | Expected permissions for service accounts to distinguish benign from malicious discovery. |