Detects adversarial use of cloud-native APIs (e.g., AWS IAM, Azure RBAC, GCP Identity) to enumerate cloud group memberships or policy mappings via unauthorized sessions or scripts.
| Data Component | Name | Channel |
|---|---|---|
| Group Enumeration (DC0099) | AWS:CloudTrail | ListGroups, ListAttachedRolePolicies |
| Field | Description |
|---|---|
| UserContext | Scope to anomalous IAM principals or assume-role usage. |
| TimeWindow | Correlate enumeration activity within lateral movement prep windows. |
Identifies unauthorized access or enumeration of administrative roles, security groups, or distribution groups via Exchange/SharePoint/Teams APIs or role discovery scripts.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | m365:exchange | Get-RoleGroup, Get-DistributionGroup |
| Group Metadata (DC0105) | m365:sharepoint | Enumerate ACLs/role bindings |
| Field | Description |
|---|---|
| AccessScope | Adjust based on tenant-level vs. site-level group visibility. |
| ScriptExecutionContext | Detect script-based role listing (e.g., Graph API call chains). |
Monitors API calls and service-specific logs for enumeration of organizational roles, permissions, and group structure, particularly outside of normal admin behavior baselines.
| Data Component | Name | Channel |
|---|---|---|
| Group Enumeration (DC0099) | saas:salesforce | GET /services/data/vXX.X/groups |
| Field | Description |
|---|---|
| OrgScope | Scope to cross-team access or unfamiliar org enumeration. |
| RequestRate | Tuning for excessive group-list API calls. |