ACCORDING to Unit 42, cloud-based alerting systems often struggle to distinguish between normal cloud activity and targeted operations by known threat actors, and the researchers tested two groups with markedly different techniques to map cloud alerts to MITRE ATT&CK tactics. The study analysed cloud alerting events across 22 industries between June 2024 and June 2025, correlating MITRE techniques used by Muddled Libra and Silk Typhoon with the alerts they trigger in cloud environments.
It found nearly 70 unique alerts associated with Muddled Libra and just over 50 for Silk Typhoon, with only three MITRE techniques common to both groups. The analysis highlighted that Microsoft Azure environments, including Graph API usage for resource enumeration and Microsoft 365 storage exfiltration, feature prominently in the top alerts for Muddled Libra and Silk Typhoon respectively.
The researchers concluded that fingerprinting alert patterns could help organisations implement predictive and proactive cloud defence, enabling earlier threat detection and mitigation.