Detects adversarial use of cloud APIs for command execution, resource control, or reconnaissance. Focuses on CLI/SDK/scripting language abuse via stolen credentials or in-browser Cloud Shells. Monitors for anomalous API calls chained with authentication context shifts (e.g., stolen token -> privileged action) and cross-service impacts.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | AWS:CloudTrail | eventName: RunInstances, CreateUser, PutRolePolicy, InvokeCommand |
| Cloud Service Modification (DC0069) | azure:activity | operationName: Write, Access Review, RoleAssignment |
| User Account Authentication (DC0002) | Okta:SystemLog | eventType: user.authentication.sso, app.oauth2.token.grant |
| Field | Description |
|---|---|
| TimeWindow | Off-hours API usage or configuration changes are more suspicious outside business context. |
| UserAgent | Unexpected SDK usage (e.g., `boto3`, `azcopy`, unknown User-Agent strings). |
| CredentialType | High-risk if access token or API key used outside expected geographic/IP behavior. |
| APISequence | Unusual or rapid chaining of provisioning, IAM, and execution APIs. |
| ConsoleContext | Browser-based Cloud Shell vs local CLI may indicate insider vs external use case. |