An attempt by a user to gain access to a network or computing resource by providing web credentials (ex: Windows EID 1202)
| Name | Channel |
|---|---|
| AWS:CloudTrail | SessionToken used without preceding MFA or login event |
| AWS:CloudTrail | AssumeRoleWithSAML |
| AWS:CloudTrail | GetSessionToken, AssumeRoleWithWebIdentity |
| AWS:CloudTrail | AssumeRole, GetFederationToken, GetSessionToken |
| AWS:CloudTrail | GetCallerIdentity |
| azure:signinlogs | TokenIssued, RefreshTokenUsed |
| azure:signinLogs | TokenIssuanceStart, TokenIssuanceSuccess |
| kubernetes:apiserver | serviceAccount token used in API requests not tied to workload identity |
| m365:exchange | Mailbox access using SAML token without corresponding MFA event |
| m365:unified | SessionId reused from different device/browser fingerprint |
| m365:unified | Session activity without correlated login event |
| m365:unified | OAuthTokenIssued, FileAccessed, MailItemsAccessed |
| m365:unified | TokenIssued, FileAccessed |
| macos:unifiedlog | New session initiated using cookies without normal MFA or password validation |
| macos:unifiedlog | Web sessions initiated with newly forged tokens |
| NSM:Connections | Pre-authentication keys generated or token signing anomalies |
| saas:access | SAML token accepted without preceding login challenge |
| saas:auth | API requests made with tokens not associated with expected user logins |
| saas:googleworkspace | OAuthTokenGranted, APIRequest |
| saas:googleworkspace | access_token issued |