Classification:

attack

Tactic:

TA0007-discovery

Technique:

T1526-cloud-service-discovery

VIEW RULE IN DATADOG VIEW SIGNALS

Goal

Detect and investigate attempts to enumerate applications via an Identity Provider (IdP) service, which may indicate an attacker is probing for accessible resources to facilitate lateral movement.

Strategy

This rule monitors enumeration activities via IdP services where repeated queries are made to list available applications. Such behavior may suggest an attempt to identify accessible resources and potentially map out targets for lateral movement. Enumeration of applications is typically associated with discovery tactics often used in lateral movement and privilege escalation stages.

Triage and Response

1. Validate the user activity:

   • Check if the user account ({{@usr.name}}) or associated IP address has a legitimate reason for listing applications via the IdP.
   • Review recent authentication attempts and associated IP addresses to determine if there are additional signs of compromise or unauthorized access.

2. Investigate suspicious enumeration activity:

   • Review IdP logs for additional enumeration patterns, such as repeated application listing requests from the same IP or user within a short time frame.
   • Examine logs for any unusual or infrequently used applications that are being accessed or targeted in enumeration requests.

3. Containment and remediation:

   • If the enumeration activity is deemed unauthorized, consider restricting the user’s access temporarily and resetting credentials to prevent further probing.
   • Conduct a broader investigation into recent activity from the flagged user and IP to check for other signs of lateral movement, such as privilege escalation or additional resource access attempts.