DC0070 Cloud Service Metadata
| Item | Value |
|---|---|
| ID | DC0070 |
| Version | 2.0 |
| Created | 20 October 2021 |
| Last Modified | 12 November 2025 |
Log Sources
| Name | Channel |
|---|---|
| AWS:CloudTrail | GetInstanceIdentityDocument |
| AWS:CloudTrail | rds:ExecuteStatement: Large data access via RDS or Aurora with unknown session context |
| AWS:CloudTrail | GetSecretValue |
| AWS:CloudTrail | InvokeFunction |
| AWS:CloudWatch | unexpected IAM user or role assuming privileges for instance/snapshot operations |
| m365:exchange | Cmdlet - New-InboxRule |
| m365:sharepoint | Multiple file download operations on a site by a privileged account in a short time window |
| m365:unified | New-InboxRule, Set-InboxRule |
| saas:github | repo.download, repo.clone, oauth.authorize, repo.getContent |
| saas:github | CI/CD secret accessed or exported |
Detection Strategy
| ID | Name | Technique Detected |
|---|---|---|
| DET0415 | Application Exhaustion Flood Detection Across Platforms | T1499.003 |
| DET0412 | Detect Access or Search for Unsecured Credentials Across Platforms | T1552 |
| DET0001 | Detect Access to Cloud Instance Metadata API (IaaS) | T1552.005 |
| DET0500 | Detecting Abnormal SharePoint Data Mining by Privileged or Rare Users | T1213.002 |
| DET0263 | Detecting Bulk or Anomalous Access to Private Code Repositories via SaaS Platforms | T1213.003 |
| DET0308 | Detection Strategy for Modify Cloud Compute Infrastructure | T1578 |
| DET0533 | Detection Strategy for Poisoned Pipeline Execution via SaaS CI/CD Workflows | T1677 |
| DET0576 | Email Forwarding Rule Abuse Detection Across Platforms | T1114.003 |
| DET0242 | Suspicious Database Access and Dump Activity Across Environments (T1213.006) | T1213.006 |