Detection of new IAM roles or policies attached to a user/service in AWS/GCP/Azure outside normal patterns or hours, often following account compromise.
| Data Component | Name | Channel |
|---|---|---|
| User Account Modification (DC0010) | AWS:CloudTrail | AttachUserPolicy, CreatePolicyVersion, PutRolePolicy |
| Field | Description |
|---|---|
| RoleScope | IAM Role type or privilege level assigned (e.g., Admin, Billing, Viewer) |
| UserContext | User, service account, or external federated identity context performing the action |
| PolicyChangeTimeWindow | How quickly multiple roles or policies are added after initial access |
| ExternalRoleOrigin | Cross-account roles from outside trusted tenant list |
Behavioral chain of a user being granted elevated privileges or roles in Entra ID or Okta following suspicious login or account creation activity.
| Data Component | Name | Channel |
|---|---|---|
| User Account Modification (DC0010) | m365:audit | Add member to role, Add app role assignment |
| Field | Description |
|---|---|
| AdminRoleThreshold | Number of accounts allowed to hold sensitive roles like Global Admin |
| RoleAssignmentMethod | Mechanism by which role was added (PowerShell, API, UI) |
| GrantContext | Expected user-to-role mapping defined by org policy |
Detection of new admin or role assignment actions within Microsoft 365/O365 environments to elevate access for persistence or lateral movement.
| Data Component | Name | Channel |
|---|---|---|
| User Account Modification (DC0010) | m365:unified | Add member to role, Set-Mailbox |
| Field | Description |
|---|---|
| OfficeRoleType | Admin role type or application role granted |
| TimeWindow | Time between initial login and privilege change |
| ActionOrigin | Was the role assignment local or via federated SSO account |