All Events
The full catalog, one row per event. Type to filter by name, service, tag, or technique ID, or narrow by provider and tactic — filtered views are shareable URLs.
azure Add App Role Assignment To Service Principal Azure - Microsoft Entra ID Privilege Escalation +1 azure Add Application Azure - Microsoft Entra ID Persistence +1 azure Add Eligible Member To Role In Pim Completed Azure - Microsoft Entra ID Privilege Escalation +1 azure Add Federated Identity Credential Azure - Microsoft Entra ID Persistence azure Add Member To Role Azure - Microsoft Entra ID Privilege Escalation +1 azure Add Owner To Application Azure - Microsoft Entra ID Privilege Escalation +1 azure Add Owner To Group Azure - Microsoft Entra ID Privilege Escalation azure Add Role Definition Azure - Authorization Privilege Escalation +1 azure Add Service Principal Azure - Microsoft Entra ID Persistence +1 azure Add User Azure - Microsoft Entra ID Persistence azure Add Verified Domain Azure - Microsoft Entra ID Persistence gcp add-iam-policy-binding GCP - IAM Privilege Escalation +1 aws AddPermission20150331v2 AWS - Lambda Persistence +1 aws AddRoleToInstanceProfile AWS - IAM Privilege Escalation +2 aws AddUserToGroup AWS - IAM Persistence +1 azure Admin Registered Security Info Azure - Microsoft Entra ID Persistence aws ArchiveFindings AWS - GuardDuty Defense Impairment aws AssociateIamInstanceProfile AWS - EC2 Privilege Escalation aws AssumeRole AWS - STS Initial Access +3 aws AssumeRoleWithSAML AWS - STS Initial Access +3 aws AssumeRoleWithWebIdentity AWS - STS Initial Access +3 aws AttachGroupPolicy AWS - IAM Persistence +1 aws AttachRolePolicy AWS - IAM Persistence +1 aws AttachUserPolicy AWS - IAM Persistence +1 aws AuthorizeDBSecurityGroupIngress AWS - RDS Defense Impairment aws AuthorizeSecurityGroupEgress AWS - EC2 Defense Impairment +1 aws AuthorizeSecurityGroupIngress AWS - EC2 Defense Impairment +1 gcp bigquery.jobs.insert GCP - BigQuery Collection +1 aws ChangePassword AWS - IAM Persistence +2 gcp cloudsql.instances.export GCP - Cloud SQL Exfiltration +1 gcp compute.disks.setIamPolicy GCP - Compute Engine Privilege Escalation +1 gcp compute.firewalls.delete GCP - Compute Engine Defense Impairment gcp compute.firewalls.patch GCP - Compute Engine Defense Impairment gcp compute.instances.addAccessConfig GCP - Compute Engine Initial Access gcp Compute.instances.setMetadata GCP - Compute Engine Persistence +2 gcp compute.instances.setServiceAccount GCP - Compute Engine Privilege Escalation gcp compute.projects.setCommonInstanceMetadata GCP - Compute Engine Persistence +2 azure Consent To Application Azure - Microsoft Entra ID Persistence +2 aws ConsoleLogin AWS - SignIn Initial Access +1 azure CopyBlob Azure - Azure Blob Storage Collection +1 aws CopyObject AWS - S3 Collection +1 aws CreateAccessEntry AWS - EKS Persistence +1 aws CreateAccessKey AWS - IAM Persistence +1 aws CreateAccount AWS - Organizations Persistence aws CreateAssociation AWS - SSM Persistence aws CreateDBSnapshot AWS - RDS Collection +1 aws CreateDevEndpoint AWS - Glue Privilege Escalation aws CreateFilter AWS - GuardDuty Defense Impairment aws CreateImage AWS - EC2 Collection +1 aws CreateInstanceExportTask AWS - EC2 Exfiltration +1 aws CreateIPSet AWS - GuardDuty Defense Impairment aws CreateKeyPair AWS - EC2 Persistence +1 aws CreateLoginProfile AWS - IAM Persistence +1 aws CreateNetworkAclEntry AWS - EC2 Defense Impairment aws CreateOpenIDConnectProvider AWS - IAM Persistence +1 aws CreatePolicy AWS - IAM Persistence +1 aws CreatePolicyVersion AWS - IAM Privilege Escalation aws CreateRole AWS - IAM Persistence +1 gcp CreateRole GCP - IAM Privilege Escalation +1 aws CreateSAMLProvider AWS - IAM Persistence +1 aws CreateServiceLinkedRole AWS - IAM Privilege Escalation aws CreateSnapshot AWS - EC2 Collection +1 aws CreateStack AWS - CloudFormation Execution +1 aws CreateUser AWS - IAM Persistence aws CreateVirtualMFADevice AWS - IAM Persistence aws DeactivateMFADevice AWS - IAM Defense Impairment aws DeleteAccessKey AWS - IAM Defense Impairment +1 aws DeleteAlarms AWS - CloudWatch Defense Impairment aws DeleteBucket AWS - S3 Impact +1 aws DeleteBucketPolicy AWS - S3 Defense Impairment +1 aws DeleteConfigRule AWS - Config Defense Impairment aws DeleteConfigurationRecorder AWS - Config Defense Impairment aws DeleteDBCluster AWS - RDS Impact aws DeleteDBInstance AWS - RDS Impact aws DeleteDeliveryChannel AWS - Config Defense Impairment aws DeleteDetector AWS - GuardDuty Defense Impairment aws DeleteEventDataStore AWS - CloudTrail Defense Impairment aws DeleteFileSystem AWS - elasticfilesystem Impact aws DeleteFlowLogs AWS - EC2 Defense Impairment aws DeleteGlobalCluster AWS - RDS Impact aws DeleteLogGroup AWS - CloudWatchLogs Defense Impairment aws DeleteLoginProfile AWS - IAM Impact +1 aws DeleteLogStream AWS - CloudWatchLogs Defense Impairment aws DeleteMembers AWS - GuardDuty Defense Impairment aws DeleteNetworkAcl AWS - EC2 Defense Impairment aws DeleteNetworkAclEntry AWS - EC2 Defense Impairment aws DeleteObject AWS - S3 Impact aws DeleteObjects AWS - S3 Impact aws DeleteRolePermissionsBoundary AWS - IAM Privilege Escalation +1 aws DeleteRolePolicy AWS - IAM Defense Impairment +1 aws DeleteRuleGroup AWS - WAFV2 Defense Impairment aws DeleteSnapshot AWS - EC2 Impact aws DeleteTrail AWS - CloudTrail Defense Impairment aws DeleteUser AWS - IAM Impact +1 aws DeleteUserPermissionsBoundary AWS - IAM Privilege Escalation +1 aws DeleteUserPolicy AWS - IAM Defense Impairment +1 aws DeleteVirtualMFADevice AWS - IAM Persistence aws DeleteVolume AWS - EC2 Impact aws DeleteWebACL AWS - WAFV2 Defense Impairment aws DetachRolePolicy AWS - IAM Defense Impairment +1 aws DetachUserPolicy AWS - IAM Defense Impairment +1 azure Disable Strong Authentication Azure - Microsoft Entra ID Persistence aws DisableKey AWS - KMS Impact aws DisassociateFromMasterAccount AWS - GuardDuty Defense Impairment aws DisassociateMembers AWS - GuardDuty Defense Impairment aws EnableRegion AWS - Account Management Stealth +2 aws EnableSerialConsoleAccess AWS - EC2 Lateral Movement +1 gcp EnableServiceAccount GCP - IAM Persistence +1 gcp generateAccessToken GCP - IAM Credential Access +2 aws GetAuthorizationToken AWS - ECR Credential Access aws GetFederationToken AWS - STS Credential Access +3 aws GetObject AWS - S3 Collection +1 aws GetParameters AWS - SSM Credential Access +1 aws GetPasswordData AWS - EC2 Credential Access aws GetSecretValue AWS - SecretsManager Credential Access +1 aws GetSessionToken AWS - STS Credential Access +2 aws GetSigninToken AWS - SignIn Credential Access +2 gcp google.cloud.securitycenter.v1.SecurityCenter.SetMute GCP - Security Command Center Defense Impairment gcp google.iam.admin.v1.CreateServiceAccountKey GCP - IAM Persistence +1 gcp google.iam.admin.v1.DeleteServiceAccount GCP - IAM Impact gcp google.iam.admin.v1.DeleteServiceAccountKey GCP - IAM Stealth gcp google.iam.admin.v1.SetIAMPolicy or SetIAMPolicy GCP - IAM Privilege Escalation +1 gcp google.iam.admin.v1.UploadServiceAccountKey GCP - IAM Persistence gcp google.logging.v2.ConfigServiceV2.UpdateExclusion GCP - Cloud Logging Defense Impairment gcp google.logging.v2.LoggingServiceV2.DeleteLog GCP - Cloud Logging Defense Impairment gcp google.ssh-serialport.v1.connect GCP - SSH Serial Port Lateral Movement +1 gcp iam.roles.update GCP - IAM Privilege Escalation +1 gcp iam.serviceAccountKeys.implicitDelegation GCP - IAM Privilege Escalation +2 gcp iam.serviceAccounts.actAs GCP - IAM Privilege Escalation +2 gcp iam.serviceAccounts.signJwt GCP - IAM Credential Access +2 aws ImportKeyPair AWS - EC2 Persistence +1 azure Invite External User Azure - Microsoft Entra ID Persistence aws Invoke AWS - Lambda Execution aws LeaveOrganization AWS - Organizations Defense Impairment gcp logging.projects.exclusions.create GCP - Cloud Logging Defense Impairment gcp logging.sinks.delete GCP - Cloud Logging Defense Impairment gcp logging.sinks.update GCP - Cloud Logging Defense Impairment azure Microsoft.AppConfiguration/configurationStores/listKeys/action Azure - App Configuration Credential Access +1 azure Microsoft.Authorization/elevateAccess/action Azure - Authorization Privilege Escalation +1 azure Microsoft.Authorization/locks/delete Azure - Authorization Defense Impairment azure Microsoft.Authorization/roleAssignments/delete Azure - Authorization Impact azure Microsoft.Authorization/roleAssignments/write Azure - Authorization Privilege Escalation +1 azure Microsoft.Automation/automationAccounts/credentials/read Azure - Automation Credential Access +1 azure Microsoft.Automation/automationAccounts/jobs/write Azure - Automation Execution +1 azure Microsoft.Automation/automationAccounts/runbooks/write Azure - Automation Persistence +1 azure Microsoft.Automation/automationAccounts/webhooks/action Azure - Automation Execution azure Microsoft.Automation/automationAccounts/webhooks/write Azure - Automation Persistence +1 azure Microsoft.Batch/batchAccounts/listKeys/action Azure - Batch Credential Access +1 azure Microsoft.Compute/disks/beginGetAccess/action Azure - Compute Collection +1 azure Microsoft.Compute/snapshots/beginGetAccess/action Azure - Compute Collection +1 azure Microsoft.Compute/sshPublicKeys/write Azure - Compute Persistence +1 azure Microsoft.Compute/virtualMachines/delete Azure - Compute Impact +1 azure Microsoft.Compute/virtualMachines/extensions/write Azure - Compute Persistence +1 azure Microsoft.Compute/virtualMachines/runCommand/action Azure - Compute Execution +1 azure Microsoft.Compute/virtualMachines/write (CustomScriptExtension) Azure - Compute Execution +1 azure Microsoft.ContainerRegistry/registries/listCredentials/action Azure - Container Registry Credential Access +1 azure Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action Azure - Container Service Credential Access +2 azure Microsoft.ContainerService/managedClusters/listClusterUserCredential/action Azure - Container Service Credential Access +1 azure Microsoft.ContainerService/managedClusters/runCommand/action Azure - AKS Execution +1 azure Microsoft.Directory/groups/members/update Azure - Microsoft Entra ID Privilege Escalation +1 azure Microsoft.Directory/servicePrincipals/credentials/update Azure - Microsoft Entra ID Credential Access +2 azure Microsoft.EventHub/namespaces/eventhubs/delete Azure - Event Hubs Impact +1 azure Microsoft.HybridCompute/machines/extensions/delete Azure - Azure Arc Defense Impairment azure Microsoft.Insights/activityLogAlerts/delete Azure - Monitor Defense Impairment azure Microsoft.Insights/diagnosticSettings/delete Azure - Monitor Defense Impairment azure Microsoft.Insights/metricAlerts/delete Azure - Monitor Defense Impairment azure Microsoft.KeyVault/vaults/accessPolicies/write Azure - Key Vault Credential Access azure Microsoft.KeyVault/vaults/certificates/read Azure - Key Vault Credential Access +1 azure Microsoft.KeyVault/vaults/delete Azure - Key Vault Impact +1 azure Microsoft.KeyVault/vaults/keys/read Azure - Key Vault Credential Access +1 azure Microsoft.KeyVault/vaults/secrets/delete Azure - Key Vault Impact +1 azure Microsoft.KeyVault/vaults/secrets/read Azure - Key Vault Credential Access +1 azure Microsoft.ManagedIdentity/userAssignedIdentities/assign/action Azure - Managed Identity Privilege Escalation +1 azure Microsoft.Network/networkSecurityGroups/delete Azure - Network Security Group Defense Impairment azure Microsoft.Network/networkSecurityGroups/securityRules/write Azure - Network Security Group Defense Impairment +1 azure Microsoft.Network/networkWatchers/flowLogs/delete Azure - Network Watcher Defense Impairment azure Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write Azure - Network Lateral Movement +1 azure Microsoft.OperationalInsights/workspaces/delete Azure - Log Analytics Defense Impairment +1 azure Microsoft.OperationalInsights/workspaces/sharedKeys/action Azure - Log Analytics Credential Access +1 azure Microsoft.RecoveryServices/vaults/backupProtectedItems/delete Azure - Backup Impact +1 azure Microsoft.Security/alertsSuppressionRules/write Azure - Microsoft Defender for Cloud Defense Impairment azure Microsoft.Security/autoProvisioningSettings/write Azure - Microsoft Defender for Cloud Defense Impairment azure Microsoft.Security/pricings/write Azure - Microsoft Defender for Cloud Defense Impairment azure Microsoft.Security/securitySolutions/delete Azure - Microsoft Defender for Cloud Defense Impairment azure Microsoft.SerialConsole/serialPorts/connect/action Azure - Compute Lateral Movement +1 azure Microsoft.ServiceBus/namespaces/authorizationRules/listKeys/action Azure - Service Bus Credential Access +1 azure Microsoft.Sql/servers/databases/delete Azure - Azure SQL Impact azure Microsoft.Sql/servers/databases/export/action Azure - Azure SQL Exfiltration +1 azure Microsoft.Storage/storageAccounts/blobServices/containers/delete Azure - Azure Storage Impact azure Microsoft.Storage/storageAccounts/delete Azure - Azure Storage Impact +1 azure Microsoft.Storage/storageAccounts/listKeys/action Azure - Azure Storage Credential Access +1 azure Microsoft.Storage/storageAccounts/regenerateKey/action Azure - Azure Storage Credential Access +1 azure Microsoft.Storage/storageAccounts/stopLogging/action Azure - Azure Storage Defense Impairment azure Microsoft.Web/sites/host/listKeys/action Azure - Web Credential Access +1 aws ModifyDBInstance AWS - RDS Exfiltration +1 aws ModifyDBSnapshotAttribute AWS - RDS Exfiltration +1 aws ModifyImageAttribute AWS - EC2 Defense Impairment +2 aws ModifyInstanceAttribute AWS - EC2 Defense Impairment +1 aws ModifySnapshotAttribute AWS - EC2 Exfiltration +1 aws PassRole AWS - IAM Privilege Escalation +2 aws PasswordRecoveryRequested AWS - SignIn Initial Access +2 aws PutBucketAcl AWS - S3 Defense Impairment +2 aws PutBucketLifecycle AWS - S3 Impact +1 aws PutBucketLifecycleConfiguration AWS - S3 Impact +1 aws PutBucketPolicy AWS - S3 Defense Impairment +2 aws PutBucketPublicAccessBlock AWS - S3 Defense Impairment aws PutBucketReplication AWS - S3 Exfiltration aws PutEventSelectors AWS - CloudTrail Defense Impairment aws PutGroupPolicy AWS - IAM Persistence +1 aws PutImage AWS - ECR Persistence aws PutKeyPolicy AWS - KMS Privilege Escalation aws PutRolePermissionsBoundary AWS - IAM Defense Impairment aws PutRolePolicy AWS - IAM Persistence +1 aws PutRule AWS - EventBridge Persistence aws PutTargets AWS - EventBridge Persistence aws PutUserPermissionsBoundary AWS - IAM Defense Impairment aws PutUserPolicy AWS - IAM Persistence +1 aws RemoveAccountFromOrganization AWS - Organizations Defense Impairment aws ReplaceIamInstanceProfileAssociation AWS - EC2 Privilege Escalation +2 azure Reset User Password Azure - Microsoft Entra ID Persistence aws RestoreDBInstanceFromDBSnapshot AWS - RDS Exfiltration +1 aws ResumeSession AWS - SSM Lateral Movement +1 aws ScheduleKeyDeletion AWS - KMS Impact +1 gcp secretmanager.secrets.delete GCP - Secret Manager Impact +1 gcp SecretManagerService.AccessSecretVersion GCP - Secret Manager Credential Access +1 gcp SecretManagerService.DestroySecretVersion GCP - Secret Manager Impact +1 gcp Securitycenter.settings.update GCP - Security Command Center Defense Impairment aws SendCommand AWS - SSM Execution +1 aws SendSerialConsoleSSHPublicKey AWS - EC2InstanceConnect Lateral Movement +1 aws SendSSHPublicKey AWS - EC2InstanceConnect Lateral Movement +1 aws SetDefaultPolicyVersion AWS - IAM Privilege Escalation aws SharedSnapshotCopyInitiated AWS - EC2 Exfiltration +1 aws SharedSnapshotVolumeCreated AWS - EC2 Collection +1 aws StartBuild AWS - CodeBuild Execution aws StartExportTask AWS - RDS Exfiltration +1 aws StartSession AWS - SSM Lateral Movement +1 aws StopConfigurationRecorder AWS - Config Defense Impairment aws StopLogging AWS - CloudTrail Defense Impairment aws StopMonitoringMembers AWS - GuardDuty Defense Impairment gcp storage.buckets.delete GCP - Cloud Storage Impact +1 gcp storage.hmacKeys.create GCP - Cloud Storage Persistence gcp storage.objects.delete GCP - Cloud Storage Impact gcp storage.setIamPermissions GCP - Cloud Storage Defense Impairment +2 aws TerminateInstances AWS - EC2 Impact +1 azure Update Conditional Access Policy Azure - Microsoft Entra ID Defense Impairment azure Update named location Azure - Conditional Access, Named Locations Defense Impairment azure Update Role Definition Azure - Authorization Privilege Escalation +1 azure Update User Authentication Methods Azure - Microsoft Entra ID Persistence +1 aws UpdateAccessKey AWS - IAM Persistence aws UpdateAssumeRolePolicy AWS - IAM Persistence +1 aws UpdateDetector AWS - GuardDuty Defense Impairment aws UpdateDevEndpoint AWS - Glue Privilege Escalation aws UpdateFindingsFeedback AWS - GuardDuty Defense Impairment aws UpdateFunctionCode20150331v2 AWS - Lambda Persistence +1 aws UpdateFunctionConfiguration20150331v2 AWS - Lambda Persistence +1 aws UpdateIPSet AWS - GuardDuty Defense Impairment aws UpdateLoginProfile AWS - IAM Persistence +2 aws UpdateTrail AWS - CloudTrail Defense Impairment gcp users.importSshPublicKey GCP - OS Login Persistence +1 gcp users.sshPublicKeys.patch GCP - OS Login Persistence +1 azure VaultPatch Azure - Azure Key Vault Defense Impairment +1