AN1615: Analytic 1615
Detection of enumeration of identity entities through cloud provider APIs where principals retrieve account metadata such as IAM users or roles in rapid succession.
Analyst context for executives and security teams
This analytic matters because rapid enumeration of cloud identity metadata can be an early signal that a principal is mapping an IaaS environment before taking further action. For leaders, the practical issue is whether the organization can see who is querying IAM users, roles, and account metadata at scale, and whether SOC and IR teams can quickly distinguish expected administration from suspicious reconnaissance.
Executive priority
Prioritize this as a cloud identity visibility and incident-readiness question. Security leaders should ask whether cloud API activity is centrally logged, retained, and reviewable; whether high-volume identity enumeration is covered by managed detection or internal SOC use cases; and whether investigations can tie API calls back to a human, workload, service account, or automation path. The value is strongest for cloud security, IAM governance, audit evidence, and rapid incident scoping in IaaS environments.
Technical view
The supplied ATT&CK object describes detection of principals retrieving identity/account metadata such as IAM users or roles in rapid succession through cloud provider APIs. SOC and detection teams should validate whether they can observe identity-related API calls, identify the calling principal, measure call velocity or bursts, and compare activity against normal administrative or automation baselines. No ATT&CK tactic, relationship context, or official detection logic is supplied, so implementation should be tuned locally rather than treated as a complete rule.
Likely telemetry
- Cloud provider API audit logs for IaaS environments
- Identity and access management activity logs showing users, roles, principals, and service accounts
- Account metadata access events, especially list/describe/get-style identity queries
- Timestamps and request rates needed to identify rapid succession behavior
- Source context such as IP address, region, user agent, session, workload, or automation identity where available
Detection direction
- Validate that cloud API audit logging is enabled and retained for identity metadata read operations, not only write or administrative changes.
- Build or tune analytics around unusual volume, velocity, or breadth of IAM user/role/account metadata queries by a single principal over a short period.
- Baseline expected enumeration from inventory tools, compliance scanners, deployment pipelines, and cloud administration scripts to reduce false positives.
- Correlate enumeration bursts with principal type, source location, session context, and recent authentication activity to support triage.
- Check for blind spots where service accounts, temporary roles, cross-account access, or logging exclusions may hide the principal responsible for enumeration.
Mitigation priorities
- Ensure cloud API audit logging is enabled, centralized, protected from tampering, and retained long enough for investigation.
- Review IAM permissions so principals have only the identity metadata access required for their function.
- Document approved inventory, compliance, and automation activities that legitimately enumerate users or roles.
- Create response playbooks for suspicious cloud identity enumeration, including principal containment, credential/session review, and scope assessment.
- Use detections as evidence for IAM governance and cloud monitoring maturity, but validate coverage per cloud account, role, and logging configuration.
Analyst notes and limits
This object is a detection analytic for IaaS platforms focused on enumeration of identity entities through cloud provider APIs. There are no supplied relationships, no tactic assignment, and no official detection text beyond the description, so the take emphasizes defensive validation, telemetry readiness, and local baselining rather than specific rule syntax.
The source fields do not identify a specific cloud provider, tactic, related technique, actor, campaign, or confirmed exploitation pattern. Detection thresholds, normal behavior, and investigative severity must be determined from the organization’s own cloud architecture, IAM model, and logging coverage.
Analytic 1615
Detection of enumeration of identity entities through cloud provider APIs where principals retrieve account metadata such as IAM users or roles in rapid succession.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
All related ATT&CK context
No relationships are available in the current normalized data for this object.
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 6d1762d60e3d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack AN1615Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.