Storage enumeration activity

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	10 Minutes
Deduplication Period	5 Days
Required Data	Requires one of the following data sources: AWS Audit Log OR Azure Audit Log OR Gcp Audit Log
Detection Modules	Cloud
ATT&CK Tactic	Discovery (TA0007) Collection (TA0009)
ATT&CK Technique	Cloud Storage Object Discovery (T1619) Data from Cloud Storage (T1530) Cloud Service Discovery (T1526)
Severity	Informational

Description

An identity attempted to discover cloud objects within storage buckets.
This might be an attempt by an adversary to find sensitive data stored in cloud storage, which could lead to data theft.

Attacker's Goals

Access sensitive data stored in cloud infrastructure.

Investigative actions

Check the identity's role designation in the organization.
Identify which storage buckets were enumerated and whether they contained sensitive information.