DS0025 Cloud Service
Infrastructure, platforms, or software that are hosted on-premise or by third-party providers, made available to users through network connections and/or APIs12
| Item | Value |
|---|---|
| ID | DS0025 |
| Platforms | Azure AD, Google Workspace, IaaS, Office 365, SaaS |
| Collection Layers | Cloud Control Plane |
| Version | 1.0 |
| Created | 20 October 2021 |
| Last Modified | 30 March 2022 |
Data Components
Cloud Service Disable
Deactivation or stoppage of a cloud service (ex: AWS Cloudtrail StopLogging)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1562 | Impair Defenses |
| enterprise | T1562.008 | Disable Cloud Logs |
Cloud Service Enumeration
An extracted list of cloud services (ex: AWS ECS ListServices)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1526 | Cloud Service Discovery |
| enterprise | T1046 | Network Service Discovery |
Cloud Service Modification
Changes made to a cloud service, including its settings and/or data (ex: AWS CloudTrail DeleteTrail or DeleteConfigRule)
| Domain | ID | Name |
|---|---|---|
| enterprise | T1546 | Event Triggered Execution |
| enterprise | T1562 | Impair Defenses |
| enterprise | T1562.008 | Disable Cloud Logs |
| enterprise | T1648 | Serverless Execution |
References
-
Amazon. (n.d.). Start Building on AWS Today. Retrieved October 13, 2021. ↩
-
Microsoft. (n.d.). Azure products. Retrieved October 13, 2021. ↩
-
Amazon Web Services. (n.d.). Stopping CloudTrail from Sending Events to CloudWatch Logs. Retrieved October 16, 2020. ↩
-
Google. (n.d.). Configuring Data Access audit logs. Retrieved October 16, 2020. ↩
-
Microsoft. (n.d.). az monitor diagnostic-settings. Retrieved October 16, 2020. ↩