Catch Cloud-Native Threats Hiding in Your Audit Logs
Attackers with valid cloud credentials — stolen via phishing, credential spray, or session token theft — can enumerate S3 buckets, create backdoor IAM roles, and pivot to on-premises infrastructure entirely within the cloud management plane. These attacks generate CloudTrail events, but CloudTrail alone cannot distinguish a legitimate AssumeRole call from a compromised one. ThretVyn correlates cloud-trail events with EDR telemetry and identity provider logs to surface the attack chain. ThretVyn is not a CSPM tool — it detects active attack sequences, not misconfiguration drift.
Cloud-Born Attack Sequences ThretVyn Detects
Unusual AssumeRole or GetSessionToken calls from anomalous geography or IP block, correlated with concurrent endpoint LSASS access and identity provider failed-auth bursts — surfacing credential theft before exfiltration begins. Maps to MITRE ATT&CK T1552.001 (Cloud Credential Files) and T1078.004 (Cloud Accounts).
Attackers who pivot from cloud infrastructure to on-premises networks leave a trail that crosses CloudTrail management events and endpoint process events. ThretVyn connects the pivot by correlating the IAM session that initiated cloud access with the subsequent endpoint lateral movement detected by EDR.
High-volume S3 GetObject or Azure Blob download events correlated with identity session anomalies — flagging data staging before exfiltration completes. Maps to MITRE ATT&CK T1537 (Transfer Data to Cloud Account).
CreateRole, AttachRolePolicy, or CreateAccessKey events correlated with unusual login geography and endpoint staging activity — identifying persistent access backdoor creation. Maps to MITRE ATT&CK T1098.001 (Additional Cloud Credentials).
Connect Your Cloud Sources in 15 Minutes
AWS CloudTrail, Azure Activity Log, and GCP Audit Logs — all three available on Essentials tier.