Detection of suspicious enumeration of cloud storage objects via API calls such as AWS S3 ListObjectsV2, Azure List Blobs, or GCP ListObjects. Correlate access with account role, user context, and prior authentication activity to identify anomalous usage patterns (e.g., unusual account, unexpected regions, or large-scale enumeration in short time windows).
| Data Component | Name | Channel |
|---|---|---|
| Cloud Storage Enumeration (DC0017) | AWS:CloudTrail | ListObjectsV2 |
| Cloud Storage Access (DC0025) | AWS:CloudTrail | GetObject |
| Field | Description |
|---|---|
| TimeWindow | Correlation window (e.g., multiple enumeration calls within 5 minutes) may indicate automated discovery versus normal user activity. |
| UserContext | Expected service accounts and IAM roles that regularly enumerate storage; deviations may indicate suspicious activity. |
| RegionScope | Unusual enumeration of buckets across multiple geographic regions in short succession may indicate adversary reconnaissance. |