Skip to content

Hide Navigation Hide TOC

Cloud Service Metadata (b33d36e3-d7ea-4895-8eed-19a08a8f7c4f)

Cloud service metadata refers to the contextual and descriptive information about cloud services, including their name, type, purpose, configuration, and activity around them. This metadata is essential for understanding the roles and functions of cloud services, their operational status, and their potential misuse. Examples:

  • Azure Service Metadata: Metadata describing a resource in Azure, such as an Azure Storage Account or a Virtual Machine.
  • AWS Cloud Service Metadata: Metadata for an AWS EC2 instance collected using the DescribeInstances API call.
  • Google Cloud Service Metadata: Metadata for a Google Compute Engine instance collected using gcloud compute instances describe.
  • Office 365 Metadata: Metadata about an Office 365 SharePoint site.

This data component can be collected through the following measures:

Enable Cloud Metadata APIs

  • Leverage APIs provided by cloud providers to query metadata about services.
    • AWS: Use AWS CLI or SDKs for DescribeInstances, DescribeBuckets, etc.
    • Azure: Use az resource list or SDKs.
    • Google Cloud: Use gcloud compute instances describe or related commands.
    • Office 365: Use Microsoft Graph API.

Centralize Metadata in a Security Platform

  • Aggregate metadata from multiple clouds into a SIEM or CSPM (Cloud Security Posture Management) tool.
  • Example: Integrate AWS CloudTrail with Splunk or Azure Monitor with Sentinel.

Enable Continuous Monitoring

  • Set up automated jobs or workflows to regularly query and update metadata.
  • Example: Use AWS Config to track resource configurations and changes over time.

Configure Access and Logging

  • Enable logging for API queries to ensure access and usage of metadata are monitored.
  • Example: Use AWS CloudTrail to log API activity for metadata queries.

Use Cloud Security Tools

  • Employ CSPM tools like Prisma Cloud, Wiz, or Dome9 to gather metadata and identify misconfigurations.
  • Example: Prisma Cloud provides consolidated views of metadata for resources across AWS, Azure, and GCP.
Cluster A Galaxy A Cluster B Galaxy B Level
Cloud Service Metadata (b33d36e3-d7ea-4895-8eed-19a08a8f7c4f) mitre-data-component Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a) Attack Pattern 1
Cloud Service Metadata (b33d36e3-d7ea-4895-8eed-19a08a8f7c4f) mitre-data-component Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 1
Cloud Service Metadata (b33d36e3-d7ea-4895-8eed-19a08a8f7c4f) mitre-data-component Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern 1
Cloud Service Metadata (b33d36e3-d7ea-4895-8eed-19a08a8f7c4f) mitre-data-component Data from Cloud Storage - T1530 (3298ce88-1628-43b1-87d9-0b5336b193d7) Attack Pattern 1
Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a) Attack Pattern Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 2
Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 2