AWS Lambda infrastructure enumeration activity

Cortex XDR Analytics Alert Reference by Alert name

Product: Cortex XDR
Last date published: 2026-02-02
Category: Analytics Alert Reference
Index by: Alert name

Synopsis

Activation Period	14 Days
Training Period	30 Days
Test Period	1 Hour
Deduplication Period	5 Days
Required Data	Requires: AWS Audit Log
Detection Modules	Cloud
Detector Tags
ATT&CK Tactic	Discovery (TA0007)
ATT&CK Technique	Cloud Infrastructure Discovery (T1580)
Severity	Informational

Description

Lambda infrastructure enumeration activity detected within a specific AWS region.

Attacker's Goals

Discover deployed functions and their configurations.
Assess IAM policies, event triggers, and execution limits to evaluate privilege levels and potential abuse paths.
Enumerate metadata for potential weaknesses or sensitive data.

Investigative actions

Identify and review the specific Lambda enumeration API calls executed and their frequency.
Verify the identity performing the calls and assess if this behavior is typical or anomalous.
Correlate with other discovery activities and check related logs for suspicious patterns or subsequent actions.