Anomalous access to cloud web applications using session tokens without corresponding MFA/credential validation, often from unusual locations or device fingerprints.
| Data Component | Name | Channel |
|---|---|---|
| Web Credential Usage (DC0007) | AWS:CloudTrail | SessionToken used without preceding MFA or login event |
| Logon Session Creation (DC0067) | AWS:CloudTrail | ConsoleLogin |
| Field | Description |
|---|---|
| TimeWindow | How far back to check for legitimate MFA or login events before token usage |
| IPGeolocationDistance | Threshold for flagging geographically impossible logins |
Session cookie reuse on unmanaged browsers, devices, or client types deviating from user baseline (e.g., switching from Chrome to curl).
| Data Component | Name | Channel |
|---|---|---|
| Web Credential Usage (DC0007) | m365:unified | SessionId reused from different device/browser fingerprint |
| User Account Authentication (DC0002) | saas:okta | session.impersonation.start |
| Field | Description |
|---|---|
| BrowserFingerprintMatch | Tolerance for accepting small differences in user-agent headers |
| SessionReuseTimeout | Time gap threshold between valid session creation and reuse |
Web session tokens reused in native Office apps (e.g., Outlook, Teams) without associated token refresh or login behavior on the endpoint.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | m365:unified | UserLoggedIn |
| Field | Description |
|---|---|
| EndpointTokenSyncGap | Allowed delta between endpoint login and cloud token reuse |