AWS IAM account discovery operation

Cortex XDR Analytics Alert Reference by Alert name

Product: Cortex XDR
Last date published: 2026-02-02
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: AWS Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Account Discovery: Cloud Account (T1087.004)
Severity	Informational

Description

AWS IAM account discovery operation.

Attacker's Goals

Understand the IAM structure and relationships between users, roles, and groups to identify high-privilege identities or misconfigurations.
Identify identities or roles that can be used to escalate privileges or gain broader access.

Investigative actions

Check if the request follows a suspicious login, temporary credential use, or access from an unusual IP address.
Check if the operation is followed by or correlated with other enumeration actions.