Use of stolen Kerberos tickets or token impersonation resulting in logon sessions from accounts without expected interactive logon events.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624, 4672, 4648 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Field | Description |
|---|---|
| TimeWindow | Allows tuning of how far apart related logon and process events can be correlated |
| UserContext | Customize for high-value or service accounts with restricted access policies |
Access tokens or SSH keys used without corresponding login shell or PAM module activity, particularly for remote execution.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | auditd:SYSCALL | execution of ssh, scp, or sftp using previously unseen credentials or keys |
| Logon Session Creation (DC0067) | NSM:Connections | Accepted publickey for user from unusual IP or without tty |
| Field | Description |
|---|---|
| SourceIPWhitelist | Tune for approved jump boxes or bastion hosts |
| AuthMethod | Filter on use of password vs publickey methods for better coverage |
Token replay or impersonation in federated logins without interactive browser session or MFA prompts.
| Data Component | Name | Channel |
|---|---|---|
| Web Credential Usage (DC0007) | azure:signinLogs | TokenIssuanceStart, TokenIssuanceSuccess |
| User Account Authentication (DC0002) | m365:unified | login using refresh_token with no preceding authentication context |
| Field | Description |
|---|---|
| MFAContextRequired | Customize for accounts where MFA must always precede token issuance |
| RefreshTokenReuseThreshold | Threshold for number of times a refresh token is reused without re-auth |
Unusual reuse of OAuth access tokens from different geographic regions, without full login events.
| Data Component | Name | Channel |
|---|---|---|
| Web Credential Usage (DC0007) | saas:googleworkspace | access_token issued |
| User Account Authentication (DC0002) | saas:googleworkspace | API access without user login |
| Field | Description |
|---|---|
| GeoIPDistanceThreshold | Minimum distance between token reuse events to trigger detection |
Container process uses mounted cloud credentials or token cache to authenticate without known orchestration.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | docker:runtime | execution of cloud CLI tool (e.g., aws, az) inside container |
| User Account Metadata (DC0013) | AWS:CloudTrail | AssumeRole |
| Field | Description |
|---|---|
| ContainerLabel | Restrict to prod workloads or certain namespaces |
| CredentialPath | Path used to mount sensitive tokens (e.g., /.aws/credentials) |
Access token reuse to connect to SharePoint or Outlook APIs without interactive user context.
| Data Component | Name | Channel |
|---|---|---|
| Web Credential Usage (DC0007) | m365:unified | TokenIssued, FileAccessed |
| Field | Description |
|---|---|
| UserAgentCheck | Tune to detect access from CLI agents or scripts rather than interactive browsers |
Use of instance metadata tokens across instances or misuse of short-lived tokens issued for different roles.
| Data Component | Name | Channel |
|---|---|---|
| Web Credential Usage (DC0007) | AWS:CloudTrail | GetCallerIdentity |
| User Account Metadata (DC0013) | AWS:CloudTrail | AssumeRole |
| Field | Description |
|---|---|
| TokenReuseWindow | Time window where token reuse is suspicious |
| RoleMismatchAlerting | Enable if tokens for RoleA are used in resources only RoleB should access |