Cloud and Identity Monitoring

Purpose and Scope

Cloud and identity monitoring focuses on detecting threats in SaaS applications, cloud infrastructure, and identity providers. As organizations move to the cloud, attackers increasingly target OAuth tokens, service principals, and cloud APIs.

Prerequisites

• Log access: Azure AD/Entra ID, Okta, Google Workspace, AWS CloudTrail, Azure Activity Logs
• SIEM integration: Cloud logs flowing into your security platform
• Inventory awareness: Known users, groups, applications, and service principals
• Permission visibility: Understanding of OAuth scopes and cloud IAM policies

Detection Goals

Monitor for:

• Compromised user accounts and credential stuffing
• OAuth application abuse and consent phishing
• Privilege escalation through role and group changes
• Suspicious cloud resource creation and configuration changes
• Data exfiltration through cloud APIs and sharing features

Identity Provider Monitoring

Authentication Anomalies

Detect suspicious login patterns:

• Logins from impossible geographic locations (impossible travel)
• Logins from anonymizing VPNs or Tor exit nodes
• Logins from new devices or browsers
• High volume of failed authentication attempts
• Successful logins after extended account dormancy

Privilege Changes

Monitor administrative actions:

• Users added to privileged groups (Global Admin, Security Admin)
• Role assignments to service principals
• Conditional access policy modifications
• MFA settings changed or disabled

OAuth and Application Consent

Detect OAuth abuse:

• New application consents with risky permissions (Mail.Read, Files.ReadWrite)
• Admin consent granted to unknown applications
• Applications requesting permissions atypical for their purpose
• Illicit consent grants through phishing

Cloud Infrastructure Monitoring

AWS CloudTrail

Key events to monitor:

• IAM user or role creation
• Access key creation or usage from new locations
• S3 bucket policy changes or public access
• Security group modifications
• CloudTrail logging disabled or modified
• EC2 instance creation in unusual regions

Azure Activity Logs

Monitor for:

• Resource group or subscription level changes
• Virtual machine creation and network changes
• Key Vault access and secret retrieval
• Diagnostic settings disabled
• Role assignments at subscription scope

Google Cloud Audit Logs

Track:

• Service account key creation
• IAM policy changes
• Firewall rule modifications
• Cloud Storage bucket permissions
• Compute instance creation

SaaS Application Monitoring

Microsoft 365

• Mail forwarding rules created (external forwarding)
• Inbox rules that delete or hide messages
• SharePoint/OneDrive sharing to external domains
• eDiscovery searches by users outside compliance roles
• Mailbox permissions granted

Google Workspace

• Drive sharing settings changed to public
• Third party app access grants
• Admin console access from new locations
• Group membership changes for sensitive groups

Investigation Workflow

1. Identify the affected user, application, or resource
2. Review authentication and access logs around the time of the event
3. Check for other anomalous activity from the same identity
4. Determine if legitimate administrative action or compromise
5. If compromised, identify all accessed resources and data
6. Contain by revoking sessions, rotating credentials, disabling accounts

Response Actions

• Revoke sessions: Force reauthentication for compromised users
• Rotate credentials: Reset passwords, rotate API keys and secrets
• Revoke OAuth grants: Remove malicious application permissions
• Disable accounts: Temporarily disable compromised identities
• Review data access: Audit what data may have been accessed or exfiltrated

References

• Microsoft Entra ID Security: Microsoft Entra documentation
• AWS Security Best Practices: aws.amazon.com/security
• Google Cloud Security: cloud.google.com/security
• MITRE ATT&CK for Cloud: attack.mitre.org/matrices/enterprise/cloud