Detects web console login events followed by read-only or metadata retrieval activity from GUI sources (e.g., browser session, mobile client) rather than API/CLI sources. Correlates across CloudTrail, IAM identity logs, and user-agent context.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | AWS:CloudTrail | ConsoleLogin |
| Cloud Storage Metadata (DC0027) | AWS:CloudTrail | Post-authentication metadata enumeration from GUI session |
| Field | Description |
|---|---|
| UserAgentFilter | Allowlist/denylist of user agents to distinguish browser-based vs. CLI/API sessions |
| TimeWindow | Maximum time delta between login and suspicious GUI activity |
| PrivilegedSessionThreshold | Login attempts to dashboard using elevated IAM roles |
Detects successful login to cloud identity portals (e.g., Okta, Azure AD, Google Identity) from atypical geolocations, devices, or user agents immediately followed by dashboard/portal navigation to sensitive pages such as user or app configuration.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | azure:signinlogs | Sign-in with unfamiliar location/device + portal navigation |
| Logon Session Creation (DC0067) | saas:okta | user.session.start |
| Application Log Content (DC0038) | saas:okta | WebUI access to administrator dashboard |
| Field | Description |
|---|---|
| GeoIPAnomalyThreshold | Threshold for location anomalies per user profile |
| UserAgentReputation | Unknown browser/device fingerprint list |
| PrivilegedPageAccess | List of sensitive dashboard views for alerting |
Detects login to admin consoles (e.g., Microsoft 365 Admin Center) from unrecognized users, devices, or geolocations followed by non-API data review or configuration read actions that suggest GUI dashboard use.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | m365:signinlogs | UserLoginSuccess |
| Logon Session Creation (DC0067) | m365:unified | ViewAdminReport |
| Application Log Content (DC0038) | m365:unified | Read-only configuration review from GUI |
| Field | Description |
|---|---|
| AdminRoleList | Roles allowed to access dashboard views |
| DashboardNavigationSequence | Pageview paths or clickstreams indicating use of GUI admin console |
| GeoLocationRisk | List of high-risk regions or unexpected geos |
Detects SaaS web login followed by dashboard or web GUI page views from unfamiliar locations, devices, or access patterns. Identifies use of sensitive reporting or configuration consoles accessed from high-risk accounts.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | saas:zoom | Zoom Admin Dashboard accessed from unfamiliar IP/device |
| User Account Authentication (DC0002) | saas:salesforce | Login |
| Application Log Content (DC0038) | saas:box | User navigated to admin interface |
| Field | Description |
|---|---|
| SaaSDashboardViewList | List of GUI pages or endpoints considered sensitive |
| IPReputationThreshold | Reputation score or allowlist of source IPs |
| LoginBehaviorBaseline | Typical user/device login pairings or login frequency |