Correlate creation or modification of serverless functions (e.g., AWS Lambda, GCP Cloud Functions, Azure Functions) with anomalous IAM role assignments or permissions escalation events. Detect subsequent executions of newly created functions that perform unexpected actions such as spawning outbound network connections, accessing sensitive resources, or creating additional credentials.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Modification (DC0069) | AWS:CloudTrail | CreateFunction / UpdateFunctionConfiguration: Function creation, role assignment, or configuration change events |
| Application Log Content (DC0038) | AWS:CloudTrail | InvokeFunction: Unexpected or repeated invocation of functions not tied to known workflows |
| Field | Description |
|---|---|
| RoleScope | Which IAM roles or privileges are considered sensitive when applied to functions |
| AllowedFunctions | Known baseline list of approved serverless functions to reduce false positives |
| TimeWindow | Temporal threshold for correlating function creation with anomalous execution |
Monitor for creation of new Power Automate flows or equivalent automation scripts that trigger on user or file events. Detect anomalous actions performed by these automations, such as email forwarding, anonymous link creation, or unexpected API calls to external endpoints.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Modification (DC0069) | m365:unified | AddFlow / UpdateFlow: New automation or workflow creation events |
| Application Log Content (DC0038) | m365:exchange | New-InboxRule: Automation that triggers abnormal forwarding or external link generation |
| Field | Description |
|---|---|
| UserContext | Business units or users where automation creation is expected (developers, admins) |
| FlowActions | Specific automation actions (email forwarding, file sharing) that should be considered suspicious |
Track creation or update of SaaS automation scripts (e.g., Google Workspace Apps Script). Detect when these scripts are bound to user events such as file opens or account modifications, and correlate with subsequent abnormal API calls that exfiltrate or modify user data.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Modification (DC0069) | saas:appsscript | Create / Update: Deployment of scripts with event-driven triggers |
| Application Log Content (DC0038) | saas:googledrive | FileOpen / FileAccess: Event-driven script triggering on user file actions |
| Field | Description |
|---|---|
| ScriptScope | Which SaaS apps or APIs can be legitimately automated in the environment |
| TriggerTypes | Event-driven triggers (e.g., on file open, on user creation) considered suspicious |