Access and retrieval of container service account tokens followed by unauthorized API requests using those tokens to interact with the Kubernetes API server or internal services.
| Data Component | Name | Channel |
|---|---|---|
| File Access (DC0055) | kubernetes:audit | GET or LIST requests to /var/run/secrets/kubernetes.io/serviceaccount/ followed by access to the Kubernetes API server |
| Field | Description |
|---|---|
| TimeWindow | Adjust based on how quickly tokens are expected to be used post-access |
| UserContext | Tuning for known service accounts that legitimately access the API |
Token retrieval from instance metadata endpoints such as AWS IMDS or Azure IMDS, followed by API usage using the obtained token from non-standard applications.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Service Enumeration (DC0083) | AWS:CloudTrail | GetInstanceIdentityDocument or IMDSv2 token requests |
| Cloud Service Modification (DC0069) | AWS:CloudTrail | Use of temporary credentials issued from IMDS access |
| Field | Description |
|---|---|
| UserAgent | May need tuning for known automation tools versus unexpected curl usage |
| TimeWindow | Correlate retrieval and use of token within expected timeout window |
Unusual OAuth app registration followed by user-granted OAuth tokens and subsequent high-privilege resource access via those tokens.
| Data Component | Name | Channel |
|---|---|---|
| Application Log Content (DC0038) | azure:audit | App registrations or consent grants by abnormal users or at unusual times |
| Field | Description |
|---|---|
| ConsentScope | Tunable based on risky or privileged scopes in the environment |
| AppUserRatio | Threshold of how many users have authorized a given app |
Use of OAuth tokens by third-party apps to access user mail, calendar, or SharePoint resources where the token was granted recently or via spearphishing.
| Data Component | Name | Channel |
|---|---|---|
| Cloud Storage Access (DC0025) | m365:unified | App-only or delegated access patterns where client_id != known enterprise apps |
| Field | Description |
|---|---|
| ClientAppIDAllowList | Defenders may allow known app IDs, flag unknowns |
| AccessVolumeThreshold | Rate of resource access by a newly consented app |
Programmatic access to user content via stolen access tokens in platforms like Slack, GitHub, Google Workspace — especially from new IPs, apps, or excessive resource access.
| Data Component | Name | Channel |
|---|---|---|
| User Account Authentication (DC0002) | saas:googleworkspace | Access via OAuth credentials with unusual scopes or from anomalous IPs |
| Application Log Content (DC0038) | saas:slack | OAuth token use by unknown app client_id accessing private channels or files |
| Field | Description |
|---|---|
| GeoVelocity | Flag when token use appears across geographically distant logins |
| OAuthScopeSensitivity | Weight certain scopes (admin, file.read) as higher risk |