Azure Add App Role Assignment To Service Principal
Grants an application role to a service principal, allowing it to act with that role's permissions within the application.
All Events
All Events
Section titled “All Events”Browse and filter cloud security events by cloud provider and MITRE ATT&CK tactics.
Azure Add Application
Creates and registers a new application in Microsoft Entra ID, establishing an identity that can authenticate and request access tokens.
Azure Add Eligible Member To Role In Pim Completed
Adds a user as an eligible member for a privileged role in Azure PIM, allowing them to activate the role on demand.
Azure Add Federated Identity Credential
Adds a federated identity credential to an application, enabling secretless persistent access via workload identity federation.
Azure Add Member To Role
Directly assigns a user or service principal to an Entra ID directory role, granting that role's permissions.
Azure Add Owner To Application
Adds an owner to an Entra ID application registration, granting them management rights over the application.
Azure Add Owner To Group
Adds an owner to a group, granting the ability to modify group membership for lateral movement.
Azure Add Role Definition
Creates a new custom Azure RBAC role definition with specified allowed and denied actions.
Azure Add Service Principal
Creates a service principal in Entra ID, representing the identity instance of an application within a tenant.
Azure Add User
Creates a new user account in Microsoft Entra ID.
Azure Add Verified Domain
Adds a custom domain to a Microsoft Entra ID tenant and initiates the domain verification process.
GCP add-iam-policy-binding
Adds an IAM policy binding to a GCP resource, granting a member (user, group, or service account) a specified role.
AWS AddPermission20150331v2
Adds a permission to a Lambda function's resource-based policy, allowing specified principals to invoke the function.
AWS AddRoleToInstanceProfile
Adds an IAM role to an EC2 instance profile, enabling EC2 instances to assume that role and access AWS services.
AWS AddUserToGroup
Adds an IAM user to a specified group, granting the user all permissions attached to that group.
Azure Admin Registered Security Info
Records an administrator registering authentication methods (e.g., MFA) on behalf of another user in Entra ID.
AWS ArchiveFindings
Archives GuardDuty findings to suppress active security alerts from SOC visibility.
AWS AssociateIamInstanceProfile
Associates an IAM instance profile with an EC2 instance, granting the instance permissions defined by the profile's IAM role.
AWS AssumeRole
Returns temporary security credentials for assuming an IAM role. Allows an entity (user, service, or account) to act with the role's permissions.
AWS AssumeRoleWithSAML
Returns temporary credentials for a SAML-authenticated user to assume an IAM role, used in federated SSO scenarios.
AWS AssumeRoleWithWebIdentity
Returns temporary credentials for a user authenticated via an OIDC identity provider (e.g., Cognito, Google) to assume an IAM role.
AWS AttachGroupPolicy
Attaches a managed IAM policy to a group, granting all group members the permissions defined in that policy.
AWS AttachRolePolicy
Attaches a managed IAM policy to an IAM role, granting the role the permissions defined in that policy.
AWS AttachUserPolicy
Attaches a managed IAM policy directly to an IAM user, granting them the permissions defined in that policy.
AWS AuthorizeDBSecurityGroupIngress
Adds inbound rules to an RDS DB security group, allowing specified IP ranges or EC2 security groups to access the database.
AWS AuthorizeSecurityGroupEgress
Adds outbound rules to a VPC security group, permitting traffic from instances to specified destination IP ranges or security groups.
AWS AuthorizeSecurityGroupIngress
Adds inbound rules to a VPC security group, permitting traffic from specified IP ranges or security groups to reach instances.
GCP bigquery.jobs.insert
Creates and submits a BigQuery job (query, load, export, or copy) that accesses or transforms data in BigQuery datasets.
AWS ChangePassword
Allows an IAM user to change their own AWS Management Console login password.
GCP cloudsql.instances.export
Exports data from a Cloud SQL instance to a Cloud Storage bucket.
GCP compute.disks.setIamPolicy
Sets the IAM policy on a Compute Engine persistent disk, controlling which principals have access to it.
GCP compute.firewalls.delete
Deletes a firewall rule from a GCP VPC network.
GCP compute.firewalls.patch
Modifies an existing firewall rule in a GCP VPC network.
GCP compute.instances.addAccessConfig
Adds an external IP access configuration to an instance, exposing an internal resource to the internet.
GCP Compute.instances.setMetadata
Sets or updates instance-level metadata on a Compute Engine VM, which can include SSH keys or startup scripts.
GCP compute.instances.setServiceAccount
Changes the service account attached to a Compute Engine instance, enabling privilege escalation via service account swap.
GCP compute.projects.setCommonInstanceMetadata
Sets project-wide Compute Engine metadata, applied to all instances and commonly used to manage SSH keys.
Azure Consent To Application
Records an admin or user granting an Entra ID application permission to access resources via an OAuth 2.0 consent grant.
AWS ConsoleLogin
Records a sign-in attempt to the AWS Management Console, capturing success or failure status and whether MFA was used.
Azure CopyBlob
Copies a blob within or between Azure Storage accounts or containers.
AWS CopyObject
Copies an object from one S3 location to another, within or across buckets, optionally modifying metadata or encryption.
AWS CreateAccessEntry
Creates an access entry for an EKS cluster, granting an IAM principal Kubernetes API access via EKS access management.
AWS CreateAccessKey
Creates a new long-term access key for an IAM user, enabling programmatic access to AWS services.
AWS CreateAccount
Creates a new AWS account as a member of an AWS Organization under the management account.
AWS CreateAssociation
Creates an SSM State Manager association, binding a document to instances for persistent or scheduled command execution.
AWS CreateDBSnapshot
Creates a manual point-in-time snapshot of an RDS database instance for backup or recovery purposes.
AWS CreateDevEndpoint
Creates a Glue development endpoint providing SSH access into the Glue VPC with the Glue service role.
AWS CreateFilter
Creates a GuardDuty finding filter that automatically suppresses or highlights findings matching specified criteria.
AWS CreateImage
Creates an Amazon Machine Image (AMI) from a running or stopped EC2 instance, capturing its disk state for reuse.
AWS CreateInstanceExportTask
Exports an EC2 instance as a virtual machine image to an S3 bucket in a format such as OVF or VMDK.
AWS CreateIPSet
Creates a GuardDuty IP set — a list of trusted or known malicious IP addresses used in threat intelligence.
AWS CreateKeyPair
Creates an EC2 key pair and returns the private key material, used for SSH authentication to EC2 instances.
AWS CreateLoginProfile
Creates a password for an IAM user, enabling them to sign into the AWS Management Console.
AWS CreateNetworkAclEntry
Adds an allow or deny rule to a Network ACL, controlling traffic entering or leaving a specific VPC subnet.
AWS CreateOpenIDConnectProvider
Registers an OIDC identity provider with IAM, enabling federated access from external identity systems like GitHub Actions.
AWS CreatePolicy
Creates a new managed IAM policy that can be attached to users, groups, or roles to define permissions.
AWS CreatePolicyVersion
Creates a new version of an IAM managed policy, which can optionally be set as the default active version.
AWS CreateRole
Creates a new IAM role with a trust policy that defines which principals are permitted to assume it.
GCP CreateRole
Creates a custom IAM role in GCP with a specified set of granular permissions.
AWS CreateSAMLProvider
Registers a SAML 2.0 identity provider metadata document with IAM, enabling federated authentication via SAML.
AWS CreateServiceLinkedRole
Creates a service-linked IAM role that allows an AWS service to perform actions on your behalf.
AWS CreateSnapshot
Creates a point-in-time snapshot of an EBS volume, stored durably for backup or volume duplication.
AWS CreateStack
Creates a CloudFormation stack by provisioning AWS resources defined in a specified template.
AWS CreateUser
Creates a new IAM user in the AWS account for programmatic or console-based access.
AWS CreateVirtualMFADevice
Creates a virtual MFA device that can be associated with an IAM user for multi-factor authentication.
AWS DeactivateMFADevice
Deactivates an MFA device associated with an IAM user, removing the MFA requirement for their authentication.
AWS DeleteAccessKey
Permanently deletes an IAM user's access key, revoking the associated programmatic access credentials.
AWS DeleteAlarms
Deletes one or more CloudWatch alarms, removing their monitoring configurations and associated notifications.
AWS DeleteBucket
Permanently deletes an S3 bucket; the bucket must be empty before deletion can succeed.
AWS DeleteBucketPolicy
Removes the resource-based policy from an S3 bucket, reverting to default access controls.
AWS DeleteConfigRule
Deletes an AWS Config rule that was evaluating the compliance of AWS resource configurations.
AWS DeleteConfigurationRecorder
Deletes the AWS Config configuration recorder, stopping resource configuration recording in the region.
AWS DeleteDBCluster
Permanently deletes an Aurora DB cluster and optionally its automated backups.
AWS DeleteDBInstance
Permanently deletes an RDS database instance, with an option to take a final snapshot before deletion.
AWS DeleteDeliveryChannel
Deletes the AWS Config delivery channel, stopping delivery of configuration snapshots and change notifications to S3 or SNS.
AWS DeleteDetector
Disables and permanently deletes a GuardDuty detector in the region, stopping all threat detection.
AWS DeleteEventDataStore
Deletes a CloudTrail Lake event data store, destroying stored forensic evidence and audit logs.
AWS DeleteFileSystem
Permanently deletes an EFS file system and all its data; all mount targets must be deleted first.
AWS DeleteFlowLogs
Deletes VPC Flow Log configurations, stopping the capture of network traffic metadata for the specified resources.
AWS DeleteGlobalCluster
Deletes an Aurora global database cluster that spans multiple AWS regions.
AWS DeleteLogGroup
Permanently deletes a CloudWatch Logs log group and all its log streams and stored data.
AWS DeleteLoginProfile
Removes an IAM user's console password, preventing them from signing in to the AWS Management Console.
AWS DeleteLogStream
Permanently deletes a log stream and all its events from within a CloudWatch Logs log group.
AWS DeleteMembers
Removes member accounts from a GuardDuty administrator account, ending the delegated monitoring relationship.
AWS DeleteNetworkAcl
Deletes a Network ACL from a VPC; the default NACL cannot be deleted.
AWS DeleteNetworkAclEntry
Removes a rule from a Network ACL, modifying traffic filtering for the associated VPC subnet.
AWS DeleteObject
Deletes a single object from an S3 bucket; with versioning enabled, a delete marker is created instead.
AWS DeleteObjects
Deletes multiple S3 objects in a single batch request, more efficient than individual delete operations.
AWS DeleteRolePermissionsBoundary
Removes the permissions boundary from an IAM role, potentially expanding the role's maximum effective permissions.
AWS DeleteRolePolicy
Deletes an inline policy embedded directly in an IAM role.
AWS DeleteRuleGroup
Permanently deletes a WAF rule group containing a set of web traffic filtering rules.
AWS DeleteSnapshot
Permanently deletes an EBS snapshot; any AMIs based on it must be deregistered first.
AWS DeleteTrail
Permanently deletes a CloudTrail trail, stopping API activity logging for that trail configuration.
AWS DeleteUser
Permanently deletes an IAM user; all attached policies, group memberships, and keys must be removed first.
AWS DeleteUserPermissionsBoundary
Removes the permissions boundary from an IAM user, potentially expanding their maximum effective permissions.
AWS DeleteUserPolicy
Deletes an inline policy embedded directly in an IAM user.
AWS DeleteVirtualMFADevice
Deletes a virtual MFA device, weakening account security by removing multi-factor authentication.
AWS DeleteVolume
Permanently deletes an EBS volume; the volume must be detached from any instance before deletion.
AWS DeleteWebACL
Permanently deletes a WAF Web ACL used to protect web applications from common web threats.
AWS DetachRolePolicy
Detaches a managed IAM policy from a role, removing those permissions from the role's effective policy.
AWS DetachUserPolicy
Detaches a managed IAM policy from an IAM user, removing those permissions from the user.
Azure Disable Strong Authentication
Disables multi-factor authentication for a user account, weakening authentication security.
AWS DisableKey
Disables a KMS encryption key, preventing any operations that depend on it until the key is re-enabled.
AWS DisassociateFromMasterAccount
Disassociates the current account from its GuardDuty administrator account, ending the delegated monitoring relationship.
AWS DisassociateMembers
Disassociates specified member accounts from a GuardDuty administrator account.
AWS EnableRegion
Enables a previously disabled AWS region for the account, making its services available for use.
AWS EnableSerialConsoleAccess
Enables the EC2 Serial Console at the account level, allowing direct serial port access to instances for troubleshooting.
GCP EnableServiceAccount
Re-enables a previously disabled GCP service account, restoring its ability to authenticate and make API calls.
GCP generateAccessToken
Generates a short-lived OAuth2 access token for a service account, used for impersonation or workload federation. This is the admin activity audit log format; see also iam.serviceAccounts.getAccessToken for the data access format.
AWS GetAuthorizationToken
Retrieves an ECR authorization token for Docker image operations, seen in container escape and lateral movement chains.
AWS GetFederationToken
Returns temporary security credentials for a federated user, optionally scoped to an inline IAM policy.
AWS GetObject
Retrieves (downloads) an object from an S3 bucket; logged in CloudTrail only when S3 data events are enabled.
AWS GetParameters
Retrieves one or more parameters from AWS Systems Manager Parameter Store, optionally decrypting SecureString values.
AWS GetPasswordData
Retrieves the encrypted Windows administrator password for a newly launched EC2 Windows instance.
AWS GetSecretValue
Retrieves the plaintext value of a secret stored in AWS Secrets Manager.
AWS GetSessionToken
Returns temporary credentials for an IAM user, typically used to satisfy an MFA requirement for subsequent API calls.
AWS GetSigninToken
Generates a sign-in token used to construct a federation URL for single sign-on to the AWS Management Console.
GCP google.cloud.securitycenter.v1.SecurityCenter.SetMute
Mutes Security Command Center findings, suppressing security alerts from visibility.
GCP google.iam.admin.v1.CreateServiceAccountKey
Creates a new key for a GCP service account, producing a JSON credentials file for programmatic authentication. This is the admin activity audit log format; see also iam.serviceAccountKeys.create for the data access format.
GCP google.iam.admin.v1.DeleteServiceAccount
Deletes a service account, disrupting workloads and applications that depend on it for authentication.
GCP google.iam.admin.v1.DeleteServiceAccountKey
Deletes a service account key, potentially removing evidence of attacker-created credentials.
GCP google.iam.admin.v1.SetIAMPolicy or SetIAMPolicy
Replaces the complete IAM policy for a GCP resource, controlling access for all principals.
GCP google.iam.admin.v1.UploadServiceAccountKey
Uploads an external key to a service account, enabling persistent access that survives credential rotation.
GCP google.logging.v2.ConfigServiceV2.DeleteLog
Deletes log entries from Cloud Logging, destroying forensic evidence of attacker activity.
GCP google.logging.v2.ConfigServiceV2.UpdateExclusion
Modifies a logging exclusion filter to silently drop specific log entries, hiding ongoing attacker activity.
GCP google.ssh-serialport.v1.connect
Establishes a serial console connection to a Compute Engine VM, providing low-level instance access.
GCP iam.roles.update
Updates an existing custom IAM role, modifying its set of permitted permissions.
GCP iam.serviceAccountKeys.create
Creates a new key for a GCP service account, generating credentials for external services to authenticate as the account. This is the data access audit log format; see also google.iam.admin.v1.CreateServiceAccountKey for the admin activity format.
GCP iam.serviceAccountKeys.implicitDelegation
Records a token exchange where a service account implicitly delegates its authority to another identity.
GCP iam.serviceAccounts.actAs
Records use of the actAs permission, where one identity impersonates and acts on behalf of a GCP service account.
GCP iam.serviceAccounts.getAccessToken
Generates an OAuth2 access token for a service account via the IAM Credentials API, enabling service account impersonation. This is the data access audit log format; see also generateAccessToken for the admin activity format.
GCP iam.serviceAccounts.signJwt
Signs a JWT on behalf of a service account via the IAM Credentials API, used for authentication or token exchange.
AWS ImportKeyPair
Imports an existing RSA or ED25519 public key into EC2 for use as a key pair when launching instances.
Azure Invite External User
Sends a B2B guest invitation to an external user, granting them access to the tenant's resources.
AWS Invoke
Invokes a Lambda function synchronously or asynchronously, triggering its execution with an optional input payload.
AWS LeaveOrganization
Removes the current member account from its AWS Organization; the management account cannot leave.
GCP logging.projects.exclusions.create
Creates a log exclusion rule in Cloud Logging that prevents matching log entries from being ingested.
GCP logging.sinks.delete
Deletes a Cloud Logging sink that was routing log entries to a destination such as Cloud Storage or BigQuery.
GCP logging.sinks.update
Modifies a Cloud Logging sink's configuration, such as its destination or log filter criteria.
Azure Microsoft.AppConfiguration/configurationStores/listKeys/action
Lists the access keys for an Azure App Configuration store, exposing credentials used to read or write configuration data.
Azure Microsoft.Authorization/elevateAccess/action
Global Admin elevates to User Access Administrator at root scope, granting control over all Azure subscriptions.
Azure Microsoft.Authorization/locks/delete
Deletes a resource lock, removing protection against deletion or modification of critical resources.
Azure Microsoft.Authorization/roleAssignments/delete
Deletes a role assignment, removing access for legitimate users and disrupting operations.
Azure Microsoft.Authorization/roleAssignments/write
Creates or updates an Azure RBAC role assignment, granting a principal specific permissions on a resource or scope.
Azure Microsoft.Automation/automationAccounts/credentials/read
Reads credential assets stored in an Azure Automation account, potentially exposing sensitive authentication data.
Azure Microsoft.Automation/automationAccounts/jobs/write
Creates or starts a runbook job in an Azure Automation account.
Azure Microsoft.Automation/automationAccounts/runbooks/write
Creates or updates a runbook in an Azure Automation account.
Azure Microsoft.Automation/automationAccounts/webhooks/action
Triggers an Azure Automation runbook via a webhook invocation.
Azure Microsoft.Automation/automationAccounts/webhooks/write
Creates or updates a webhook that can trigger an Azure Automation runbook remotely.
Azure Microsoft.Batch/batchAccounts/listKeys/action
Lists the access keys for an Azure Batch account, exposing credentials used to authenticate Batch API calls.
Azure Microsoft.Compute/disks/beginGetAccess/action
Generates a time-limited SAS URL to access or download the data of an Azure managed disk.
Azure Microsoft.Compute/snapshots/beginGetAccess/action
Generates a time-limited SAS URL to access or download the data from an Azure VM disk snapshot.
Azure Microsoft.Compute/sshPublicKeys/write
Creates or updates an SSH public key resource in Azure, used to authenticate to Linux virtual machines.
Azure Microsoft.Compute/virtualMachines/delete
Permanently deletes an Azure virtual machine.
Azure Microsoft.Compute/virtualMachines/extensions/write
Installs or updates a VM extension on an Azure virtual machine, which can run scripts or install software agents.
Azure Microsoft.Compute/virtualMachines/runCommand/action
Executes a script or command on an Azure VM without requiring network-based access such as SSH or RDP.
Azure Microsoft.Compute/virtualMachines/write (CustomScriptExtension)
Creates or updates an Azure VM with a Custom Script Extension, executing a script on the VM at provisioning time.
Azure Microsoft.ContainerRegistry/registries/listCredentials/action
Lists the admin credentials for an Azure Container Registry, exposing the username and password for registry access.
Azure Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action
Retrieves the cluster-admin kubeconfig for an AKS cluster, granting full administrative access to the cluster.
Azure Microsoft.ContainerService/managedClusters/listClusterUserCredential/action
Retrieves the user-level kubeconfig for an AKS cluster.
Azure Microsoft.ContainerService/managedClusters/runCommand/action
Executes a command against an AKS cluster's Kubernetes API without requiring direct network connectivity to the API server.
Azure Microsoft.Directory/groups/members/update
Adds or removes members from an Entra ID security group or Microsoft 365 group.
Azure Microsoft.Directory/servicePrincipals/credentials/update
Adds or updates credentials (client secrets or certificates) for an Entra ID service principal.
Azure Microsoft.EventHub/namespaces/eventhubs/delete
Permanently deletes an Azure Event Hub entity within a namespace.
Azure Microsoft.HybridCompute/machines/extensions/delete
Removes an extension from an Azure Arc-enabled server.
Azure Microsoft.Insights/activityLogAlerts/delete
Deletes an activity log alert rule, disabling security detection and notification capabilities.
Azure Microsoft.Insights/diagnosticSettings/delete
Deletes an Azure Monitor diagnostic setting, stopping the forwarding of logs and metrics to a configured destination.
Azure Microsoft.Insights/metricAlerts/delete
Deletes an Azure Monitor metric alert rule.
Azure Microsoft.KeyVault/vaults/accessPolicies/write
Modifies Key Vault access policies, potentially granting unauthorized access to secrets, keys, and certificates.
Azure Microsoft.KeyVault/vaults/certificates/read
Reads a certificate stored in an Azure Key Vault.
Azure Microsoft.KeyVault/vaults/delete
Permanently deletes an Azure Key Vault; without soft-delete, all secrets, keys, and certificates are unrecoverable.
Azure Microsoft.KeyVault/vaults/keys/read
Reads a cryptographic key from an Azure Key Vault.
Azure Microsoft.KeyVault/vaults/secrets/delete
Deletes a secret from an Azure Key Vault.
Azure Microsoft.KeyVault/vaults/secrets/read
Reads a secret value from an Azure Key Vault.
Azure Microsoft.ManagedIdentity/userAssignedIdentities/assign/action
Assigns a user-assigned managed identity to an Azure resource, enabling it to authenticate to other Azure services.
Azure Microsoft.Network/networkSecurityGroups/delete
Deletes a network security group, removing network access controls from associated resources.
Azure Microsoft.Network/networkSecurityGroups/securityRules/write
Creates or updates a security rule in an Azure Network Security Group, controlling inbound or outbound traffic.
Azure Microsoft.Network/networkWatchers/flowLogs/delete
Deletes an NSG flow log configuration, stopping the capture of network traffic metadata for a network security group.
Azure Microsoft.Network/virtualNetworks/virtualNetworkPeerings/write
Creates or modifies a virtual network peering, enabling network connectivity for lateral movement across VNets.
Azure Microsoft.OperationalInsights/workspaces/delete
Permanently deletes a Log Analytics workspace and its stored data.
Azure Microsoft.OperationalInsights/workspaces/sharedKeys/action
Retrieves the primary and secondary access keys for a Log Analytics workspace.
Azure Microsoft.RecoveryServices/vaults/backupProtectedItems/delete
Removes a protected item from Azure Backup, stopping protection and deleting associated backup data.
Azure Microsoft.Security/alertsSuppressionRules/write
Creates or updates a suppression rule in Microsoft Defender for Cloud, hiding matching security alerts.
Azure Microsoft.Security/autoProvisioningSettings/write
Modifies auto-provisioning settings, potentially disabling automatic deployment of security monitoring agents.
Azure Microsoft.Security/pricings/write
Changes the pricing tier (plan) for Microsoft Defender for Cloud on a subscription or specific resource type.
Azure Microsoft.Security/securitySolutions/delete
Removes a security solution integrated with Microsoft Defender for Cloud.
Azure Microsoft.SerialConsole/serialPorts/connect/action
Connects to the serial console of an Azure VM, providing low-level access without requiring network connectivity.
Azure Microsoft.ServiceBus/namespaces/authorizationRules/listKeys/action
Lists the access keys for an Azure Service Bus namespace authorization rule, exposing connection strings for messaging.
Azure Microsoft.Sql/servers/databases/delete
Permanently deletes an Azure SQL Database.
Azure Microsoft.Sql/servers/databases/export/action
Exports an Azure SQL Database to a BACPAC file stored in Azure Blob Storage.
Azure Microsoft.Storage/storageAccounts/blobServices/containers/delete
Permanently deletes a blob container from an Azure Storage account.
Azure Microsoft.Storage/storageAccounts/delete
Permanently deletes an Azure Storage account and all of its data.
Azure Microsoft.Storage/storageAccounts/listKeys/action
Lists the access keys for an Azure Storage account, exposing credentials that provide full data-plane access.
Azure Microsoft.Storage/storageAccounts/regenerateKey/action
Regenerates one of the two access keys for an Azure Storage account, invalidating the previous key.
Azure Microsoft.Storage/storageAccounts/stopLogging/action
Stops logging for an Azure Storage account, disabling the collection of storage analytics logs.
Azure Microsoft.Web/sites/host/listKeys/action
Lists the host keys for an Azure App Service or Azure Functions app, exposing function-level and master access keys.
AWS ModifyDBInstance
Modifies settings on an RDS database instance, such as instance class, storage, networking, and access configuration.
AWS ModifyDBSnapshotAttribute
Modifies the attributes of an RDS DB snapshot, such as sharing it with other AWS accounts.
AWS ModifyImageAttribute
Modifies attributes of an AMI, such as making it public or sharing it with specific AWS accounts.
AWS ModifyInstanceAttribute
Modifies a specific attribute of an EC2 instance, such as its instance type, user data, or security groups.
AWS ModifySnapshotAttribute
Modifies the permissions of an EBS snapshot, such as making it public or sharing it with specific AWS accounts.
AWS PassRole
Allows a principal to pass an IAM role to an AWS service, granting the service permission to assume that role on their behalf.
AWS PasswordRecoveryRequested
Records a request to recover or reset the AWS account root user password via the password reset process.
AWS PutBucketAcl
Sets the Access Control List (ACL) for an S3 bucket, controlling access for specific AWS accounts or predefined groups.
AWS PutBucketLifecycle
Sets lifecycle configuration on an S3 bucket to automate object transitions or expiration over time.
AWS PutBucketLifecycleConfiguration
Sets lifecycle rules on an S3 bucket to automatically transition objects to cheaper storage tiers or expire them.
AWS PutBucketPolicy
Applies or replaces the resource-based policy on an S3 bucket, defining who can access it and how.
AWS PutBucketPublicAccessBlock
Modifies S3 bucket public access block settings, potentially disabling protections to allow public data exposure.
AWS PutBucketReplication
Enables replication for an S3 bucket, automatically copying objects to a destination bucket in the same or another region.
AWS PutEventSelectors
Configures which API events (management or data, read/write) a CloudTrail trail records.
AWS PutGroupPolicy
Creates or updates an inline policy embedded directly in an IAM group.
AWS PutImage
Pushes a container image to ECR, potentially introducing backdoored images into the deployment pipeline.
AWS PutKeyPolicy
Modifies a KMS key policy to grant cross-account access or expand key usage permissions.
AWS PutRolePermissionsBoundary
Sets a permissions boundary on an IAM role, capping the maximum permissions the role can be granted.
AWS PutRolePolicy
Creates or updates an inline policy embedded directly in an IAM role.
AWS PutRule
Creates an EventBridge rule that triggers on specific events, used for persistent execution of Lambda or other targets.
AWS PutTargets
Adds or updates targets for an EventBridge rule, defining which resources are invoked when the rule matches an event.
AWS PutUserPermissionsBoundary
Sets a permissions boundary on an IAM user, limiting the maximum permissions they can ever be granted.
AWS PutUserPolicy
Creates or updates an inline policy embedded directly in an IAM user.
AWS RemoveAccountFromOrganization
Removes an AWS account from the organization, stripping it of SCP protections and centralized security controls.
AWS ReplaceIamInstanceProfileAssociation
Replaces the IAM instance profile associated with a running EC2 instance with a different one.
Azure Reset User Password
Resets an Entra ID user's password through an administrative action.
AWS RestoreDBInstanceFromDBSnapshot
Restores an RDS instance from a snapshot, enabling an attacker to access database contents by spinning up a copy.
AWS ResumeSession
Resumes a previously disconnected Systems Manager Session Manager session with a managed instance.
AWS ScheduleKeyDeletion
Schedules a KMS customer managed key for deletion after a waiting period (7-30 days), after which encrypted data is unrecoverable.
GCP secretmanager.secrets.delete
Permanently deletes a secret and all of its versions from GCP Secret Manager.
GCP SecretManagerService.AccessSecretVersion
Retrieves the plaintext value of a specific secret version from GCP Secret Manager.
GCP SecretManagerService.DestroySecretVersion
Permanently destroys a specific version of a secret in GCP Secret Manager, making its data irrecoverable.
GCP Securitycenter.settings.update
Updates the settings or configuration of Google Security Command Center for the organization or project.
GCP Securitycenter.sources.delete
Deletes a finding source from Google Security Command Center.
AWS SendCommand
Remotely executes a command or script on one or more managed instances via AWS Systems Manager Run Command.
AWS SendSerialConsoleSSHPublicKey
Pushes an SSH public key to an EC2 instance's serial console interface, enabling SSH access over the serial port.
AWS SendSSHPublicKey
Pushes a temporary SSH public key to an EC2 instance via EC2 Instance Connect, valid for 60 seconds.
AWS SetDefaultPolicyVersion
Sets the default version of an IAM managed policy, changing which version of the policy is active for all attached entities.
AWS SharedSnapshotCopyInitiated
Records the start of a copy operation for an EBS snapshot shared from another AWS account.
AWS SharedSnapshotVolumeCreated
Records the creation of an EBS volume from a snapshot shared by another AWS account.
AWS StartBuild
Starts a CodeBuild build, executing arbitrary code with the build project's IAM role credentials.
AWS StartExportTask
Starts an export of an RDS snapshot to Amazon S3 in Apache Parquet format for use in analytics.
AWS StartSession
Starts an interactive Systems Manager Session Manager session with a managed EC2 instance or on-premises server.
AWS StopConfigurationRecorder
Stops AWS Config from recording resource configuration changes in the region.
AWS StopLogging
Stops logging API activity for a CloudTrail trail, disabling audit log collection for that trail.
AWS StopMonitoringMembers
Stops GuardDuty from monitoring specified member accounts under an administrator account.
GCP storage.buckets.delete
Permanently deletes a GCP Cloud Storage bucket; the bucket must be empty before deletion.
GCP storage.hmacKeys.create
Creates HMAC keys for S3-compatible access to Cloud Storage, providing a persistent access mechanism often missed by defenders.
GCP storage.objects.delete
Deletes objects from Cloud Storage, used in data destruction or anti-forensics operations.
GCP storage.setIamPermissions
Sets the IAM policy on a Cloud Storage bucket or object, controlling which principals can access it.
AWS TerminateInstances
Permanently terminates one or more EC2 instances, releasing instance store data and associated resources.
Azure Update Conditional Access Policy
Modifies an existing Conditional Access policy, changing the conditions or controls that govern how users authenticate.
Azure Update named location
Updates a named location definition (IP ranges or countries) used in Entra ID Conditional Access policy conditions.
Azure Update Role Definition
Modifies an existing custom Azure RBAC role definition, updating its allowed or denied actions.
Azure Update User Authentication Methods
Changes the MFA or passwordless authentication methods registered for a user in Microsoft Entra ID.
AWS UpdateAccessKey
Changes the status of an IAM user's access key between Active and Inactive.
AWS UpdateAssumeRolePolicy
Updates the trust policy of an IAM role, changing which principals are permitted to assume it.
AWS UpdateDetector
Updates the configuration of a GuardDuty detector, such as enabling or disabling specific threat detection data sources.
AWS UpdateDevEndpoint
Updates a Glue development endpoint, potentially injecting SSH public keys for unauthorized access.
AWS UpdateFindingsFeedback
Updates the feedback status on GuardDuty findings, marking them as useful or not useful.
AWS UpdateFunctionCode20150331v2
Updates the code of an existing Lambda function with a new deployment package or container image URI.
AWS UpdateFunctionConfiguration20150331v2
Updates Lambda function configuration including environment variables, IAM role, or layers — used to inject credentials or swap execution context.
AWS UpdateIPSet
Modifies the IP addresses or CIDR ranges in a GuardDuty IP set used for threat intelligence.
AWS UpdateLoginProfile
Updates the console login password for an IAM user.
AWS UpdateTrail
Modifies the configuration of an existing CloudTrail trail, such as its S3 bucket, log validation, or multi-region settings.
GCP users.importSshPublicKey
Imports an SSH public key into a user's GCP OS Login profile, enabling SSH access to Compute Engine instances.
GCP users.sshPublicKeys.patch
Updates an existing SSH public key in a user's GCP OS Login profile.
Azure VaultPatch
Updates the properties of an Azure Key Vault, such as its access policies, network rules, or soft-delete configuration.