Tag
This threat detection rule identifies initial reconnaissance activities within AWS by flagging an IAM principal's first-time invocation of sensitive discovery APIs, such as GetCallerIdentity, ListUsers, ListBuckets, and DescribeInstances, when the originating IP address is associated with consumer VPNs, high-usage hosting providers, or networks linked to threat groups like TeamPCP, indicating an attacker performing enumeration of cloud resources from a suspicious network origin.