Skip to content

DET0484 Multi-Platform Cloud Storage Exfiltration Behavior Chain

Item Value
ID DET0484
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1530 (Data from Cloud Storage)

Analytics

IaaS

AN1328

Spike in object access from new IAM user or role followed by data exfiltration to external IPs

Log Sources
Data Component Name Channel
Cloud Storage Access (DC0025) AWS:CloudTrail GetObject, CopyObject
User Account Metadata (DC0013) AWS:CloudTrail AssumeRole
Network Traffic Content (DC0085) AWS:VPCFlowLogs Unusual volume of data transferred from S3 storage endpoints to non-corporate IPs
Mutable Elements
Field Description
TimeWindow Timeframe for data transfer correlation (e.g., 10 minutes)
ExternalIPAllowList Known list of corporate and expected outbound IP addresses

SaaS

AN1329

OAuth token granted to external app followed by download of high-volume files in OneDrive/Google Drive

Log Sources
Data Component Name Channel
Cloud Storage Access (DC0025) m365:unified FileAccessed, FileDownloaded, ConsentGranted
Mutable Elements
Field Description
AppRegistrationNamePattern Pattern of suspicious OAuth app names (e.g., rclone, mega, backup*)
DownloadThresholdMB Flag file downloads over X MB (e.g., >100MB) within short intervals

Office Suite

AN1330

Internal user account accesses shared links outside org followed by mass file download

Log Sources
Data Component Name Channel
Cloud Storage Access (DC0025) m365:sharepoint AnonymousLinkCreated, FileDownloaded
User Account Authentication (DC0002) azure:signinlogs SigninSuccess
Mutable Elements
Field Description
LinkVisibilityScope Whether links allow anonymous/external access
DownloadBurstThreshold # of files downloaded within <5 mins (e.g., >50 files)