DET0803 Detection of External Remote Services

Technique Detected: T0822 (External Remote Services)

Analytics

ICS

AN1935

Monitor for network traffic originating from unknown/unexpected systems. Monitor authentication logs and analyze for unusual access patterns, windows of activity, and access outside of normal business hours, including use of Valid Accounts. When authentication is not required to access an exposed remote service, monitor for follow-on activities such as anomalous external use of the exposed API or application.

Log Sources

Mutable Elements