Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1127: Analytic 1127

Unusual enumeration of services and resources through cloud APIs such as AWS CLI `describe-*`, Azure Resource Manager queries, or GCP project listings. Defender perspective includes anomalous API calls, unexpected volume of service enumeration, and correlation of discovery with recently compromised sessions.

EnterpriseAN1127AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic matters because unusual cloud resource enumeration can be an early sign that a cloud session or credential is being used to map the environment. For leaders, the decision value is whether the organization can distinguish normal administrator, automation, and inventory activity from unexpected discovery across IaaS resources before it becomes an incident-response problem.

Executive priority

Prioritize validation of cloud audit logging, identity context, and alert triage for IaaS enumeration behavior. The business risk is not the API call itself; it is the possibility that a recently compromised session is being used to understand services, projects, accounts, or resources. This is relevant to cloud security readiness, incident scoping, compliance evidence for monitoring, and SOC ability to escalate suspicious cloud activity with enough context to act.

Technical view

SOC and detection teams should validate whether cloud API activity is collected and normalized well enough to identify anomalous service/resource enumeration, including AWS CLI describe-style activity, Azure Resource Manager queries, and GCP project/resource listing activity as described by ATT&CK. Because no official detection logic is supplied, teams should build detections around deviations from expected identities, roles, source locations, tools, time windows, and call volume, then correlate enumeration with recent session anomalies or suspected compromise indicators.

Likely telemetry

  • Cloud control-plane audit logs for IaaS APIs
  • Identity and session context for cloud principals and users
  • API call names, request volume, timestamps, source IPs, user agents, and regions/projects/accounts
  • Cloud resource inventory and ownership context for expected administrative activity
  • Authentication events and recent session-risk signals that can be correlated with discovery behavior

Detection direction

  • Baseline expected enumeration behavior for administrators, automation, inventory tools, and security tooling before alerting on volume alone.
  • Tune for unusual combinations: unexpected principal, new source location, atypical user agent, broad service coverage, or sudden spikes in resource-listing API calls.
  • Correlate enumeration with recently compromised or suspicious sessions where local telemetry supports that context.
  • Avoid treating all cloud inventory activity as malicious; false positives are likely from asset management, compliance scans, deployment automation, and legitimate troubleshooting.
  • Confirm coverage across the supported platform scope: IaaS cloud control-plane activity.

Mitigation priorities

  • Ensure cloud audit logging is enabled, retained, and accessible to SOC and incident responders.
  • Review identity permissions so users and workloads have only the enumeration access required for their role.
  • Strengthen session and credential controls, especially where suspicious enumeration can be tied to recent authentication anomalies.
  • Document approved inventory, automation, and security scanning sources to improve triage quality.
  • Prepare IR playbooks for suspected cloud session compromise, including principal review, token/session handling, and resource-scope assessment.
Analyst notes and limits

ATT&CK provides this as detection analytic AN1127 for enterprise IaaS environments. The supplied object describes unusual enumeration through cloud APIs and highlights anomalous API calls, unexpected enumeration volume, and correlation with recently compromised sessions. No tactics, relationships, or official detection implementation were supplied, so this take focuses on defensive validation and operational readiness rather than a specific ATT&CK technique chain.

The source fields do not provide detection logic, thresholds, related techniques, data components, or procedure examples. Local cloud architecture, identity model, logging configuration, and normal automation patterns are required to determine severity and reduce false positives.

Official MITRE ATT&CK definition

Analytic 1127

Unusual enumeration of services and resources through cloud APIs such as AWS CLI `describe-*`, Azure Resource Manager queries, or GCP project listings. Defender perspective includes anomalous API calls, unexpected volume of service enumeration, and correlation of discovery with recently compromised sessions.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
3a673e9e4b087f90...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 3a673e9e4b08…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1127
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use