Behavioral chain: (1) a login from a third-party account or untrusted source network establishes an interactive/remote session; (2) the session acquires elevated privileges or accesses sensitive resources atypical for that account; (3) subsequent lateral movement or data access occurs from the same session/device. Correlate Windows logon events, token elevation/privileged use, and resource access with third-party context.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | WinEventLog:Security | EventCode=4624,4648,4672,4769 |
| Logon Session Metadata (DC0088) | WinEventLog:Security | EventCode=4776,4771,4770 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Application Log Content (DC0038) | WinEventLog:Security | EventCode=4663 |
| Field | Description |
|---|---|
| ThirdPartyCIDRs | Ranges used by MSPs/contractors/VPN egress; used to enrich logons and network flows. |
| ExpectedAdminHosts | Servers where third-party admins are allowed; deviations raise risk. |
| TimeWindow | Correlation window linking logon → elevation → access (e.g., 30–120 minutes). |
| HighValueResources | File shares/AD objects/servers that should never be touched by third-party sessions. |
Behavioral chain: (1) sshd or federated SSO logins from third-party networks or identities; (2) rapid sudo/su privilege elevation; (3) access to sensitive paths or east-west SSH. Correlate auth logs, process execution, and network flows.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Metadata (DC0088) | auditd:SYSCALL | execve,socket,connect,openat |
| Logon Session Creation (DC0067) | linux:syslog | Accepted publickey/password for * from * port * ssh2 |
| Network Traffic Content (DC0085) | NSM:Flow | ssh connections originating from third-party CIDRs |
| Field | Description |
|---|---|
| ThirdPartyUsers | POSIX accounts assigned to vendors/partners. |
| AllowedJumpHosts | Bastion hosts permitted for third-party access. |
| MFAExpected | Flag indicating whether PAM/MFA should be present; used to score risk. |
Behavioral chain: (1) third-party interactive login or mobileconfig-based device enrollment; (2) privilege use or admin group change; (3) lateral movement mounts/ssh. Correlate unified logs and network telemetry.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | macos:unifiedlog | loginwindow or sshd successful login events |
| Logon Session Metadata (DC0088) | macos:unifiedlog | Group membership change for admin or wheel |
| Network Traffic Content (DC0085) | NSM:Flow | ssh/smb connections to internal resources from third-party devices |
| Field | Description |
|---|---|
| ManagedDeviceList | Known corp devices; treat unknown devices as higher risk. |
Behavioral chain: (1) delegated admin or external identity establishes session (e.g., partner/reseller DAP, B2B guest, SAML/OAuth trust); (2) role elevation or app consent/permission grant; (3) downstream privileged actions in the tenant. Correlate IdP sign-in, admin/role assignment, and consent/admin-on-behalf events.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | azure:signinlogs | InteractiveUser, ServicePrincipalSignIn |
| Logon Session Metadata (DC0088) | azure:audit | Add delegated admin / Assign admin roles / Update application consent |
| Application Log Content (DC0038) | m365:unified | Set-PartnerOfRecord / CompanyAdministrator role assignments / New-DelegatedAdminRelationship |
| Field | Description |
|---|---|
| TrustedPartnerTenantIDs | Tenant IDs of approved partners; any others are suspicious. |
| RequiredMFA | Require MFA for partner sessions; alert on bypass or step-up failure. |
| RoleScopeAllowList | Roles third-parties may hold (e.g., Helpdesk Admin); flag broader scopes. |
Behavioral chain: (1) cross-account or third-party principal assumes a role into the tenant/subscription/project; (2) privileged API calls are made in short succession; (3) access originates from unfamiliar networks or geos. Correlate assume-role/federation events with sensitive API usage.
| Data Component | Name | Channel |
|---|---|---|
| Logon Session Creation (DC0067) | AWS:CloudTrail | AssumeRole,AssumeRoleWithSAML,AssumeRoleWithWebIdentity |
| Application Log Content (DC0038) | AWS:CloudTrail | CreateUser|AttachRolePolicy|CreateAccessKey|UpdateAssumeRolePolicy|CreateLoginProfile |
| Logon Session Metadata (DC0088) | gcp:audit | google.iam.credentials.generateAccessToken / serviceAccountTokenCreator |
| Field | Description |
|---|---|
| ExternalAccountAllowList | Cross-account principals permitted to assume roles; used for allow-listing. |
| SensitiveAPIs | Provider-specific list of risky APIs for scoring. |
| GeoVelocityThreshold | Detect impossible travel between partner and tenant actions. |
Behavioral chain: (1) third-party app or admin connects via OAuth/marketplace install; (2) high-privilege scopes granted; (3) anomalous actions (mass read/exports, admin changes).
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | saas:googleworkspace | OAuth2 authorization grants / Admin role assignments |
| Logon Session Metadata (DC0088) | saas:salesforce | ConnectedApp OAuth policy change / Login as user |
| Field | Description |
|---|---|
| ApprovedApps | Catalog of sanctioned third-party apps and scopes. |
| ExportVolumeThreshold | Data export size/rate baselines to detect abnormal partner activity. |
Behavioral chain: (1) delegated administration offers/relationships created or modified by partner tenants; (2) mailbox delegation/impersonation enabled; (3) follow-on access from partner IPs.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | m365:unified | Add-DelegatedAdmin, Set-PartnerOfRecord, Add-MailboxPermission, Set-OrganizationRelationship |
| Logon Session Creation (DC0067) | azure:signinlogs | InteractiveUser, NonInteractiveUser |
| Field | Description |
|---|---|
| MailboxDelegateAllowList | Specific mailboxes third-parties may manage. |