Home / Cloud / Provider-Specific Attack Hunt Queries Provider-Specific Attack Hunt Queries
AWS
aws sts get-caller-identity
aws cloudtrail lookup-events \
--lookup-attributes AttributeKey=Username,AttributeValue=<principal>
aws iam get-role --role-name <role-name>
aws eks describe-cluster --name <cluster-name> --query 'cluster.logging'
Azure
az monitor activity-log list --resource-group <rg> --offset 2d
az role assignment list --assignee <principal-id>
az aks show -g <rg> -n <cluster>
az identity show -g <rg> -n <identity-name>
GCP
gcloud auth list
gcloud logging read \
'logName:"cloudaudit.googleapis.com" AND severity>=DEFAULT' \
--limit=50 --format=json
gcloud projects get-iam-policy <project-id>
gcloud container clusters describe <cluster-name> --location <location>