DET0546 Detection of Abused or Compromised Cloud Accounts for Access and Persistence
| Item |
Value |
| ID |
DET0546 |
| Version |
1.0 |
| Created |
21 October 2025 |
| Last Modified |
21 October 2025 |
Technique Detected: T1078.004 (Cloud Accounts)
Analytics
Identity Provider
AN1503
Detects anomalous authentication activity such as sign-ins from impossible geolocations or legacy protocols from high-privileged accounts.
Log Sources
Mutable Elements
| Field |
Description |
| AnomalousLocationThreshold |
Defines geographic separation (e.g., impossible travel) considered suspicious. |
| ProtocolType |
Filter based on legacy or deprecated authentication mechanisms. |
IaaS
AN1504
Detects cloud account use for API calls that exceed normal scope, such as IAM changes or access to services never used before.
Log Sources
Mutable Elements
| Field |
Description |
| ServiceInteractionBaseline |
Custom list of expected service interactions per user or role. |
| RoleSwitchRateThreshold |
Frequency of assume-role operations that triggers an alert. |
SaaS
AN1505
Detects unexpected access or usage of cloud productivity tools (e.g., downloading large numbers of files, creating external shares) by internal users.
Log Sources
Mutable Elements
| Field |
Description |
| FileDownloadThreshold |
Defines excessive access based on number or size of downloads. |
| SharingPolicyViolationThreshold |
Defines external sharing behaviors that violate policy. |
Office Suite
AN1506
Detects login and usage patterns deviating from typical Microsoft 365 or Google Workspace user profiles.
Log Sources
Mutable Elements
| Field |
Description |
| BusinessHours |
Used to identify logins outside of expected work times. |
| OfficeProductivityToolBaseline |
Defines expected application usage per department or role. |