AWS Lambda discovery operation

Cortex XDR Analytics Alert Reference by Alert name

Product: Cortex XDR
Last date published: 2026-02-02
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	N/A (single event)
Deduplication Period	1 Day
Required Data	Requires: AWS Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Cloud Infrastructure Discovery (T1580) Cloud Service Discovery (T1526)
Severity	Informational

Description

AWS Lambda discovery operation.

Attacker's Goals

Enumerate functions, gather configuration and trigger details, and identify attached roles or permissions.
Assess potential entry points, understand execution context, and plan privilege escalation or function tampering.

Investigative actions

Verify if the identity is expected to access Lambda configuration or code metadata.
Check if this API call was part of a broader enumeration pattern.
Determine whether the activity aligns with typical deployment or monitoring behavior, or if it appears manual or anomalous.
Investigate whether this was followed by any actions that could indicate lateral movement.