Monitor for unauthorized or unusual modifications to cloud resource hierarchies such as AWS Organizations or Azure Management Groups. Defenders may observe anomalous calls to APIs like LeaveOrganization, CreateAccount, MoveAccount, or Azure subscription transfers. Correlate account activity with administrative role assignments, tenant transfers, or new subscription creation that deviates from organizational baselines. Multi-event correlation should track role elevation followed by hierarchy modifications within a short time window.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Modification (DC0069) | AWS:CloudTrail | LeaveOrganization: API calls severing accounts from AWS Organizations |
| Field | Description |
|---|---|
| TimeWindow | Threshold for correlating role elevation with hierarchy modification events. |
| PrivilegedRoleList | List of high-privilege roles (e.g., Global Administrator, OrganizationAccountAccessRole) used to monitor sensitive modifications. |
| SubscriptionTransferPatterns | Patterns of subscription changes that may indicate hijacking or unauthorized tenant transfers. |