Aws Iam Accessdenied Discovery Events

Date: 2025-08-12 ID: f92a9a8e-2f9b-42ef-a85b-0145c886145a Author: Generated by dataset_analyzer.py Environment: attack_range Directory: aws_iam_accessdenied_discovery_events

Description

Automatically categorized datasets in directory aws_iam_accessdenied_discovery_events

MITRE ATT&CK Techniques

ID	Technique	Tactic
T1580	Cloud Infrastructure Discovery	Discovery

Environment Details

Field	Value
Environment	attack_range
Directory	aws_iam_accessdenied_discovery_events
Test Date	2025-08-12

Datasets

The following datasets were collected during this attack simulation:

Aws_iam_accessdenied_discovery_events-Json

Path: /datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/aws_iam_accessdenied_discovery_events.json
Sourcetype: aws:cloudtrail
Source: aws_cloudtrail

Asl_ocsf_cloudtrail-Json

Path: /datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/asl_ocsf_cloudtrail.json
Sourcetype: aws:cloudtrail:lake
Source: aws_asl

The following detections in our security content repository use this attack data for testing:

Detection Name	Type	Source	MITRE ATT&CK	Analytic Story
ASL AWS IAM AccessDenied Discovery Events	`Anomaly`	Cloud	T1580	Suspicious Cloud User Activities
AWS IAM AccessDenied Discovery Events	`Anomaly`	Cloud	T1580	Suspicious Cloud User Activities

Usage Instructions

Replay with Splunk Attack Data

Replay attack data with replay.py from Splunk Attack Data.

1python replay.py --dataset /datasets/attack_techniques/T1580/aws_iam_accessdenied_discovery_events/aws_iam_accessdenied_discovery_events.json --index attack_data

Manual Import

Download the dataset files from the paths listed above
Configure your Splunk instance with the appropriate sourcetypes
Import the logs using the Splunk Add Data wizard

Find more detections and analytics for this attack technique in our security content repository.

Source: GitHub | Version: 1.0