Note: Please refer to the following before installing the solution:

• Review the solution Release Notes

• There may be known issues pertaining to this Solution, please refer to them before installing.

The rise of Multi Cloud Resource Abuse attacks poses a significant threat to the security and integrity of cloud infrastructures. These attacks target the vulnerabilities within AWS, GCP, and Azure cloud environments, aiming to exploit misconfigurations, weak access controls, or compromised credentials to gain unauthorized access, manipulate resources, and extract valuable data across diverse cloud platforms. The Multi Cloud Resource Abuse Attack Solution is designed to fortify the detection and prevention measures against such malicious activities. By integrating detection capabilities across AWS, GCP, and Azure cloud infrastructures, this solution offers a set of detection strategies across various cloud platforms, including AWS, GCP, and Azure, aiming to identify abnormal activities, unauthorized access attempts, resource misuse, and data exfiltration. The solution encompasses log monitoring, anomaly detection, and behaviour analysis to detect and respond to potential breaches or abuses. This solution extends its coverage to include a wide array of cloud-based services such as AWS IAM, Azure AD, GCP IAM, storage services, and more, ensuring a comprehensive approach to identifying, mitigating, and responding to potential threats.

Pre-requisites:

This is a domain solution and does not include any data connectors. To achieve the most robust protection against Multi Cloud Resource Abuse, it is recommended to deploy this solution in conjunction with complementary tools and solutions across the cloud platforms. Install one or more of the listed solutions to unlock the value provided by this solution.

Microsoft Defender XDR

Microsoft Entra ID

Amazon Web Services

Google Cloud Platform IAM

Google Cloud Platform Audit Logs

This content covers all stages of the attack chain from an initial resource access attack vector, establishing persistence to an environment, locating and executing malicious activity from data stores, and then perpetrating and hiding their activity. This range of content complements the coverage Microsoft 365 Defender provides across Microsoft Defender products: https://learn.microsoft.com/microsoft-365/security/defender/automatic-attack-disruption

Keywords: Multi-cloud, Cross-cloud, AWS, GCP, GuardDuty, AWS GuardDuty, GCP Security, Security Console, Cloud abuse, Resource Abuse

Analytic Rules: 9

Learn more about Microsoft Sentinel | Learn more about Solutions