Multi Cloud Attack Coverage Essentials - Resource Abuse

Multi Cloud Attack Coverage Essentials - Resource Abuse Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.0.3
Author	Microsoft - support@microsoft.com
First Published	2023-11-22
Solution Folder	Multi Cloud Attack Coverage Essentials - Resource Abuse
Marketplace	Azure Marketplace · Popularity: ⚪ Very Low (0%)
Pre-requisites	Microsoft Defender XDR, Microsoft Entra ID, Amazon Web Services, GoogleCloudPlatformIAM, Google Cloud Platform Audit Logs

The rise of Multi Cloud Resource Abuse attacks poses a significant threat to the security and integrity of cloud infrastructures. These attacks target the vulnerabilities within AWS, GCP, and Azure cloud environments, aiming to exploit misconfigurations, weak access controls, or compromised credentials to gain unauthorized access, manipulate resources, and extract valuable data across diverse cloud platforms. The Multi Cloud Resource Abuse Attack Solution is designed to fortify the detection and prevention measures against such malicious activities. By integrating detection capabilities across AWS, GCP, and Azure cloud infrastructures, this solution offers a set of detection strategies across various cloud platforms, including AWS, GCP, and Azure, aiming to identify abnormal activities, unauthorized access attempts, resource misuse, and data exfiltration. The solution encompasses log monitoring, anomaly detection, and behaviour analysis to detect and respond to potential breaches or abuses. This solution extends its coverage to include a wide array of cloud-based services such as AWS IAM, Azure AD, GCP IAM, storage services, and more, ensuring a comprehensive approach to identifying, mitigating, and responding to potential threats.

For details on the required solutions, see the Pre-requisites section below.

Keywords: Multi-cloud, Cross-cloud, AWS, GCP, GuardDuty, AWS GuardDuty, GCP Security, Security Console, Cloud abuse, Resource Abuse

Pre-requisites
Data Connectors
Tables Used
Content Items

Pre-requisites

This solution depends on 5 other solution(s):

Solution
Amazon Web Services
Google Cloud Platform Audit Logs
GoogleCloudPlatformIAM
Microsoft Defender XDR
Microsoft Entra ID

Data Connectors

This solution does not include its own data connectors but uses connectors from dependency solutions:

Amazon Web Services (dependency on Amazon Web Services)
Amazon Web Services S3 (dependency on Amazon Web Services)
Amazon Web Services S3 WAF (dependency on Amazon Web Services)
Microsoft Entra ID (dependency on Microsoft Entra ID)
GCP Pub/Sub Audit Logs (dependency on Google Cloud Platform Audit Logs)
Google Cloud Platform IAM (via Codeless Connector Framework) (dependency on GoogleCloudPlatformIAM)
[DEPRECATED] Google Cloud Platform IAM (dependency on GoogleCloudPlatformIAM)
GCP Pub/Sub Audit Logs (dependency on Google Cloud Platform Audit Logs)
Microsoft Defender XDR (dependency on Microsoft Defender XDR)

Tables Used

This solution queries 4 table(s) from its content items:

Table	Used By Content
`AWSCloudTrail`	Analytics
`AWSGuardDuty`	Analytics
`GCPAuditLogs`	Analytics
`SigninLogs`	Analytics

Internal Tables

The following 2 table(s) are used internally by this solution's content items:

Table	Used By Content
`IdentityInfo`	Analytics
`SecurityAlert`	Analytics

Content Items

This solution includes 9 content item(s):

Content Type	Count
Analytic Rules	9

Analytic Rules

Name	Severity	Tactics	Tables Used
Cross-Cloud Password Spray detection	Medium	CredentialAccess	`AWSCloudTrail` `SigninLogs`
Cross-Cloud Suspicious Compute resource creation in GCP	Low	InitialAccess, Execution, Persistence, PrivilegeEscalation, CredentialAccess, Discovery, LateralMovement	`AWSGuardDuty` `GCPAuditLogs`
Cross-Cloud Suspicious user activity observed in GCP Envourment	Medium	InitialAccess, Execution, Persistence, PrivilegeEscalation, CredentialAccess, Discovery	`GCPAuditLogs` Internal use: `SecurityAlert`
Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login	Medium	CredentialAccess, InitialAccess	`AWSGuardDuty` `SigninLogs`
High-Risk Cross-Cloud User Impersonation	Medium	PrivilegeEscalation	`AWSCloudTrail` `SigninLogs`
Successful AWS Console Login from IP Address Observed Conducting Password Spray	Medium	InitialAccess, CredentialAccess	`AWSCloudTrail` Internal use: `IdentityInfo` `SecurityAlert`
Suspicious AWS console logins by credential access alerts	Medium	InitialAccess, CredentialAccess	`AWSCloudTrail` Internal use: `IdentityInfo` `SecurityAlert`
Unauthorized user access across AWS and Azure	Medium	CredentialAccess, Exfiltration, Discovery	`AWSGuardDuty` `SigninLogs`
User impersonation by Identity Protection alerts	Medium	PrivilegeEscalation	`AWSCloudTrail` Internal use: `SecurityAlert`

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.3	07-06-2024	Analytical Rule description updated
3.0.2	08-04-2024	Added Account and FullName in entity mapping
3.0.1	23-02-2024	Tagged for dependent solutions for deployment
3.0.0	22-11-2023	Initial Release