Cloud API Calls From Previously Unseen User Roles

Description

This search looks for new commands from each user role.

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Adversary Tactics

Alert Volume

This search looks for new commands from each user role.

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion
Persistence
Privilege Escalation
Initial Access

MITRE ATT&CK Techniques

Valid Accounts

Valid Accounts

MITRE Threat Groups

APT18
APT28
APT33
APT39
APT41
Carbanak
Chimera
Dragonfly 2.0
FIN10
FIN4
FIN5
FIN6
FIN8
Leviathan
Night Dragon
OilRig
PittyTiger
Sandworm Team
Silence
Soft Cell
Suckfly
TEMP.Veles
Threat Group-3390
Wizard Spider
menuPass

Data Sources


   Help

Cloud API Calls From Previously Unseen User Roles Help

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search Previously Seen Cloud API Calls Per User Role - Initial to build the initial table of user roles, commands, and times. You must also enable the second baseline search Previously Seen Cloud API Calls Per User Role - Update to keep this table up to date and to age out old data. You can adjust the time window for this search by updating the cloud_api_calls_from_previously_unseen_user_roles_activity_window macro. You can also provide additional filtering for this search by customizing the cloud_api_calls_from_previously_unseen_user_roles_filter

   Search

Open in Search