Adversaries create user accounts via identity provider APIs or admin portals (e.g., Azure AD, Okta). These accounts may be assigned elevated privileges or used in chained authentication. Detection monitors Add User activity from suspicious IPs or automation sources, followed by role/permission escalation.
| Data Component | Name | Channel |
|---|---|---|
| User Account Creation (DC0014) | azure:audit | Add user |
| User Account Modification (DC0010) | azure:audit | Add member to role |
| User Account Authentication (DC0002) | azure:signinlogs | Login from newly created account |
| Field | Description |
|---|---|
| IPAddress | Filter on IPs outside known admin networks or geographies |
| RoleThreshold | Raise alert if total admins exceeds historical baseline |
| ServicePrincipalFlag | Differentiate between user and service principal creation |
Adversaries use cloud API, CLI, or console to create IAM users or roles. Initial CreateUser is followed by policy/role attachment. Detection monitors temporal chains involving IAM:CreateUser, AttachUserPolicy, and credential generation, especially from automation or foreign IP ranges.
| Data Component | Name | Channel |
|---|---|---|
| User Account Creation (DC0014) | AWS:CloudTrail | CreateUser |
| User Account Modification (DC0010) | AWS:CloudTrail | AttachUserPolicy |
| Field | Description |
|---|---|
| Region | Alert when creation happens in unexpected regions |
| TimeWindow | Chain CreateUser → AttachPolicy → AccessKey within short timeframe |
| UserAgent | Monitor API calls from non-console or automation tools |
Adversaries create SaaS accounts via admin dashboards or integrations (e.g., Zoom, Salesforce, Slack). Monitor lifecycle.create or account provisioning events from non-standard sources or times.
| Data Component | Name | Channel |
|---|---|---|
| User Account Creation (DC0014) | saas:zoom | New user created |
| Field | Description |
|---|---|
| ApplicationScope | Trigger only for high-privilege or sensitive applications |
| AdminUserList | Compare actor to list of approved SaaS administrators |
Adversaries leverage M365 or Google Workspace APIs to create users, service accounts, or guest accounts. Follow-on behaviors include login activity, role escalation, or service principal token generation.
| Data Component | Name | Channel |
|---|---|---|
| User Account Creation (DC0014) | m365:unified | Add user |
| Group Modification (DC0094) | m365:unified | Add member to group |
| Field | Description |
|---|---|
| GroupSensitivity | Only alert on additions to high-value groups (e.g., Domain Admins) |
| GuestFlag | Tune alerts based on guest vs internal user creation |