ITDLL Detection Logic (DL-081 → DL-140+)

Created by Claudiu Tabac - © 2026 
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Find me on LinkedIn 
Buy Me a Cofee
Identity Threat Detection Logic Library
Advanced detection strategies for machine identities, service principals, CI/CD pipelines, API tokens, SCIM provisioning flows, and workload automation. This comprehensive library identifies persistence mechanisms, privilege escalation attempts, automation abuse patterns, token replay attacks, and unauthorized identity propagation across cloud platforms and hybrid environments.
Service Principal Threat Detection
Service principals represent a critical attack surface in cloud identity infrastructure. These detection rules identify anomalous service principal behavior patterns that indicate compromise, privilege abuse, or unauthorized access attempts across Azure AD, AWS IAM, and GCP service accounts.
DL-081: Profile Deviation
Detects service principal activity inconsistent with established application usage patterns, baseline behavior profiles, and expected resource access sequences.
DL-082: Scope Escalation
Identifies service principals suddenly requesting new privileged scopes, permissions, or delegated access rights outside normal change management windows.
DL-083: Resource Boundary Violation
Flags service principals reading or writing data outside their functional scope, accessing unrelated tenants, or crossing established security boundaries.
DL-084: Human Behavioral Patterns
Detects service principal actions exhibiting human-driven attack patterns including reconnaissance, interactive sessions, or sequential exploration behaviors.
Machine Identity Authentication Anomalies
DL-085: Consumer VPN Routing
Machine identity authentication routed through consumer VPN services, residential proxies, or TOR exit nodes indicating credential theft or unauthorized access attempts.
DL-086: Privileged Operation Execution
Machine identities executing admin-level operations including user management, role assignments, security configuration changes, or policy modifications outside automated workflows.
DL-087: Cross-Region Token Replay
Machine identity tokens reused from multiple geographic regions simultaneously or in rapid succession, indicating token extraction and replay attacks.
DL-088: Non-Workload Device Usage
Machine identity credentials appearing on human workstations, unmanaged devices, or systems outside designated compute infrastructure.
DL-089: Interactive Behavior Simulation
Non-human identities performing interactive actions, sequential operations, or behavior patterns characteristic of manual attacker reconnaissance.
Legacy Protocol Exploitation
DL-090: Legacy Protocol Authentication
Unexpected legacy protocol usage by machine identities including basic authentication, NTLM, POP3, IMAP, or SMTP protocols that should be restricted to modern authentication methods. This pattern often indicates credential stuffing, password spray attacks, or exploitation of legacy service accounts with weak authentication requirements.
Machine identities should exclusively use modern authentication protocols including OAuth 2.0, OpenID Connect, certificate-based authentication, or workload identity federation. Legacy protocol usage represents a significant security gap and potential compromise indicator requiring immediate investigation and remediation.
API Key Threat Landscape
API keys represent long-lived credentials vulnerable to extraction, replay, and abuse. These detection rules identify anomalous API key usage patterns across cloud platforms, SaaS applications, and hybrid infrastructure environments.
DL-091: Volume Spike
Sudden high-volume API key usage exceeding baseline thresholds, indicating automation abuse, data exfiltration attempts, or compromised key material.
DL-092: Geographic Anomaly
API key usage from suspicious or anomalous regions inconsistent with application deployment architecture or organizational presence.
DL-093: Replay Pattern
Reuse of API keys across unrelated workloads, networks, or cloud accounts indicating credential theft and lateral movement.
DL-094: Workload Deviation
API key behavior deviating from expected workload patterns including resource access changes or operation type modifications.
DL-095: Compromised Host
API key activity linked to compromised or infected devices identified through threat intelligence feeds or EDR alerts.
SCIM Provisioning Security
Identity Lifecycle Threats
SCIM (System for Cross-domain Identity Management) provisioning flows represent a critical control plane for identity lifecycle management. Attackers target SCIM to inject privileged identities, manipulate group memberships, or disable deprovisioning controls.
DL-096: Privileged Identity Creation
SCIM flows creating high-privilege identities outside approved workflows
DL-097: Attribute Injection
Unexpected SCIM attribute assignments enabling privilege escalation
DL-098: Unusual Provisioning Source
SCIM activity from untrusted IP ranges or new source systems
DL-099: Unapproved Group Sync
SCIM syncing privileged groups without governance approval
DL-100: Deprovisioning Failure
Identity lifecycle failures due to disabled deprovisioning controls
Workload Identity Security
DL-101: Access Spike
Sudden spike in workload identity authentication volume indicating automated attack tools, compromised orchestration systems, or mass credential testing.
DL-102: Cross-Environment Reuse
Workload identities used across different cloud environments, Kubernetes clusters, or isolated security boundaries violating segmentation policies.
DL-103: Token Replay Attack
Replay of workload-issued tokens including Kubernetes service account tokens, AWS IRSA tokens, or Azure managed identity tokens across workloads.
DL-104: Admin Operations
Workload identities executing high-risk operations including cluster administration, policy modification, or privileged resource access.
Container Security Threats
Container Identity Exploitation
Container environments introduce unique identity challenges where ephemeral workloads, service meshes, and orchestration systems create complex authentication flows vulnerable to token theft and privilege escalation.
DL-105: Privileged Container Actions
Container workloads executing admin-level tasks including namespace creation, cluster role binding, or privileged pod deployment.
DL-106: Unusual Node Origin
Container identity originating from unexpected cluster nodes, untrusted node pools, or nodes with suspicious workload co-location patterns.
CI/CD Pipeline Security
CI/CD pipelines represent a high-value target for attackers seeking to inject malicious code, steal secrets, or pivot into production environments. These detection rules identify pipeline abuse and token theft patterns.
01
DL-107: Pipeline Token Replay
Reuse of CI/CD pipeline tokens across unrelated jobs, workflows, or repository contexts
02
DL-108: Schedule Deviation
Pipeline execution outside intended hours, deployment windows, or expected trigger patterns
03
DL-109: Suspicious Trigger Source
Pipeline triggers from unapproved sources, external networks, or compromised developer accounts
04
DL-110: Privilege Expansion
Pipelines making privilege-related changes including IAM modifications or secret access outside change control
Critical Alert: CI/CD pipeline compromise enables supply chain attacks, credential theft, and production environment access. Implement pipeline security monitoring with real-time detection and automated response capabilities.
Automation Identity Abuse
1
DL-111: Interactive Behavior
Automation accounts behaving interactively with sequential operations, exploratory access patterns, or human-like session characteristics indicating credential compromise.
2
DL-112: Multi-Tenant Usage
Automation tokens reused across multiple tenants, cloud accounts, or organizational boundaries violating security isolation policies.
3
DL-113: High-Risk Operations
Automation identities performing tasks requiring elevated permissions including disaster recovery operations, encryption key access, or cross-account role assumptions.
4
DL-114: Service Principal Enumeration
Large-scale attempts to enumerate service principals, application registrations, or workload identities indicating reconnaissance activity.
Lateral Movement Detection
Identity Pivoting Tactics
Attackers leverage compromised machine identities to move laterally through cloud environments, exploiting trust relationships and privilege chains to expand access and achieve persistence.
Service principal credential theft
Workload identity token extraction
OAuth application abuse
Cross-cloud authentication pivoting
DL-115: Service Principal Lateral Movement
SP-driven lateral movement through cloud workloads, resource groups, or subscription boundaries
DL-116: Workload Identity Pivoting
Identity pivoting behaviors inside containers, pods, or serverless functions
DL-117: App Registration Token Replay
Attackers replaying tokens tied to app registrations across services
DL-118: OAuth App Pivoting
Attackers pivoting using OAuth app identity and delegated permissions
Credential Lifecycle Violations
DL-119: Post-Rotation Credential Use
Use of machine credentials that should no longer be valid after rotation events, indicating cached credential theft or rotation policy bypass.
DL-120: High-Risk API Key Operations
API key usage tied to dangerous or destructive commands including resource deletion, encryption key export, or security configuration changes.
DL-121: SCIM Provisioning Failures
Spikes in SCIM provisioning errors indicating tampering, policy violations, or identity synchronization attacks targeting lifecycle controls.
DL-122: SCIM Flow Manipulation
Attempts to exploit or manipulate SCIM flows including attribute injection, group membership tampering, or provisioning policy bypass.
DL-123: SCIM Mapping Modification
Unexpected changes to SCIM attribute mappings enabling privilege escalation or identity attribute manipulation.
DL-124: Workload Identity Issuance Anomalies
Identity issuance anomalies across workloads, clusters, or cloud platforms indicating compromised identity providers.
Advanced Threat Patterns
Sophisticated attackers combine multiple techniques to evade detection and establish persistent access through machine identities. These advanced detection rules identify complex attack chains and cross-layer exploitation patterns.
Cross-Layer Token Replay
DL-125: Token reuse across automation layers, pipelines, and workloads indicating credential harvesting operations
Unauthorized Identity Creation
DL-126: Unexpected creation of new machine or workload identities outside approved provisioning systems
Dependency Graph Violation
DL-127: Machine identities activated outside normal dependency roles and application architecture patterns
Deployment Pattern Deviation
DL-128: Deviations from expected workload deployment and behavior patterns including resource access changes
Control Plane Attacks
DL-129: API keys used to probe or attack identity control plane operations including federation metadata access
Workload Authentication Failures & Human-Like Activity
DL-130
Mass Authentication Failures
Large-scale authentication failures for workload identities indicating configuration errors or credential stuffing attacks
DL-131
Workload-to-Workload Pivoting
Suspicious authentication between workload identities enabling lateral movement through container clusters
DL-132
Long-Lived Token Activity
Use of tokens long after their expected lifecycle indicating stolen credentials or policy violations
DL-133
MFA Interaction Anomalies
Workload identities interacting with MFA flows indicating human-driven compromise attempts
Additional Critical Detections
DL-134: Token replay via workload-to-cloud transitions
DL-135: Automation identity account enumeration
DL-136: Workload identity sensitive read operations
DL-137: Machine identity federation metadata access
DL-138: Machine identity cross-cloud authentication
DL-139: API key lateral movement patterns
DL-140: Machine identity in human-interactive sessions
These final detection rules complete the ITDLL framework, providing comprehensive coverage for machine identity threats across modern cloud and hybrid environments.
 
 
About  
Created by Claudiu Tabac — © 2026
Find me on LinkedIn
Buy Me a Coffee
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Navigation
Home
Back to ITDLL