Spike in object access from new IAM user or role followed by data exfiltration to external IPs
| Data Component | Name | Channel |
|---|---|---|
| Cloud Storage Access (DC0025) | AWS:CloudTrail | GetObject |
| User Account Metadata (DC0013) | AWS:CloudTrail | AssumeRole |
| Network Traffic Content (DC0085) | AWS:VPCFlowLogs | Unusual volume of data transferred from S3 storage endpoints to non-corporate IPs |
| Field | Description |
|---|---|
| TimeWindow | Timeframe for data transfer correlation (e.g., 10 minutes) |
| ExternalIPAllowList | Known list of corporate and expected outbound IP addresses |
OAuth token granted to external app followed by download of high-volume files in OneDrive/Google Drive
| Data Component | Name | Channel |
|---|---|---|
| Cloud Storage Access (DC0025) | m365:unified | FileAccessed, FileDownloaded, ConsentGranted |
| Field | Description |
|---|---|
| AppRegistrationNamePattern | Pattern of suspicious OAuth app names (e.g., `rclone`, `mega`, `backup*`) |
| DownloadThresholdMB | Flag file downloads over X MB (e.g., >100MB) within short intervals |
Internal user account accesses shared links outside org followed by mass file download
| Data Component | Name | Channel |
|---|---|---|
| Cloud Storage Access (DC0025) | m365:sharepoint | AnonymousLinkCreated, FileDownloaded |
| User Account Authentication (DC0002) | azure:signinlogs | SigninSuccess |
| Field | Description |
|---|---|
| LinkVisibilityScope | Whether links allow anonymous/external access |
| DownloadBurstThreshold | # of files downloaded within <5 mins (e.g., >50 files) |