Live Active security incident? Get immediate response
MITRE ATT&CK® Analytic

AN1456: Analytic 1456

Use of cloud API calls (e.g., AWS EC2 DescribeInstances, Azure VM Inventory) to enumerate system configurations across assets.

EnterpriseAN1456AnalyticObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

This analytic concerns cloud API activity used to enumerate virtual machine and asset configuration in IaaS environments, such as AWS EC2 DescribeInstances or Azure VM inventory-style queries. For leaders, the value is not that these API calls are inherently malicious; they are common administrative actions. The risk is that the same visibility can support unauthorized discovery after an identity, role, or access key is misused. Coverage depends on whether cloud control-plane logs are collected, retained, and tied back to identities and expected operational workflows.

Executive priority

Prioritize this as an identity and cloud monitoring validation item. Security leaders should ask whether teams can prove who enumerated cloud assets, from where, under which role or account, and whether the activity was expected. This supports incident response scoping, cloud security assurance, audit evidence for privileged access monitoring, and resilience planning when cloud inventory exposure could help an intruder identify high-value systems.

Technical view

For SOC, detection engineering, and IR teams, validate monitoring for IaaS control-plane API calls that enumerate compute assets and configurations. The supplied ATT&CK object specifically references cloud API calls such as AWS EC2 DescribeInstances and Azure VM Inventory. Because no official detection logic or tactic mapping is provided, treat this as a coverage and baselining analytic: correlate enumeration calls with identity, role/session context, source network, user agent or automation context when available, time of day, volume, and whether the caller normally performs inventory operations.

Likely telemetry

  • Cloud control-plane audit logs for IaaS API activity
  • API event names for compute or VM inventory/enumeration, including examples such as AWS EC2 DescribeInstances and Azure VM inventory-style events
  • Cloud identity and access context, including principal, role, session, account or subscription, and authentication source where available
  • Source IP, geolocation or network origin, user agent, and automation/tooling indicators where logged
  • Asset inventory and configuration management records to compare expected versus unusual enumeration

Detection direction

  • Confirm that IaaS API audit logs are enabled, centralized, searchable, and retained long enough for investigation.
  • Baseline normal inventory and discovery behavior by cloud account, subscription, role, workload, and automation process before alerting on volume alone.
  • Tune for unusual combinations such as new or rarely used principals, unexpected source locations, unusual timing, abnormal API volume, or enumeration across many assets or accounts.
  • Correlate enumeration with recent authentication changes, role assumptions, access key usage, or other suspicious cloud control-plane activity when available.
  • Account for false positives from legitimate inventory tools, compliance scanners, cloud management platforms, and administrator troubleshooting.

Mitigation priorities

  • Ensure least-privilege access for cloud identities that can enumerate IaaS asset configuration.
  • Review privileged roles, service principals, access keys, and automation accounts that perform inventory operations.
  • Centralize and protect cloud audit logs so enumeration activity remains available for SOC and IR review.
  • Maintain an approved inventory of legitimate discovery tools and scheduled jobs to support tuning and reduce false positives.
  • Use change management and access review evidence to distinguish expected administrative enumeration from suspicious use of cloud APIs.
Analyst notes and limits

This object is a detection analytic, not a technique description. The official ATT&CK fields provide an IaaS platform scope and examples of cloud API enumeration, but no official detection logic, tactics, mitigations, or relationship context. The strongest use is as a prompt to validate cloud control-plane telemetry, identity context, and baseline assumptions around asset inventory behavior.

No relationships, tactic mapping, or official detection text were supplied. This take does not infer active exploitation, adversary attribution, impact, or guaranteed detection coverage. Local cloud architecture, logging configuration, identity model, and approved automation must be reviewed to determine material risk and alerting thresholds.

Official MITRE ATT&CK definition

Analytic 1456

Use of cloud API calls (e.g., AWS EC2 DescribeInstances, Azure VM Inventory) to enumerate system configurations across assets.

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

Relationship explorer

All related ATT&CK context

No relationships are available in the current normalized data for this object.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
c4086d0d75a9df77...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle c4086d0d75a9…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    mitre-attack AN1456
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use