ETS
Home
Created by Claudiu Tabac - © 2026
This material is open for educational and research use. Commercial use without explicit permission from the author is not allowed.
Category A: Behavioral & Outlier Identity Signals
Detecting identity compromise through behavioral deviations, statistical anomalies, and usage patterns that indicate malicious activity independent of authentication mechanisms.
Understanding Category A
Core Focus
Category A encompasses behavioral, anomalous, and statistical outlier identity signals that detect when identities behave abnormally, regardless of the authentication mechanism employed. These signals do not rely on token metadata or federation artifacts.
Strategic Value
Behavioral signals serve as the earliest indicators of compromise in the identity kill chain. They reveal identity misuse even when attackers successfully evade MFA, detect automation patterns, and catch bot-driven lateral movement across platforms.
Behavioral Deviations
Detect unusual patterns in how identities interact with systems and resources
Identity Usage Anomalies
Identify statistical outliers in account activity and authentication behavior
Context Mismatches
Flag unexpected geographic, device, temporal, and session inconsistencies
Critical Detection Signals: Travel & Device Anomalies
1
Impossible Travel Pattern
Two logins or token uses from geographically distant locations that violate physical plausibility constraints, indicating credential or token compromise.
  • Calculate velocity between authentication events
  • Strong early indicator of stolen credentials
  • Common in APT and credential stuffing campaigns
2
Initial Login From Unseen Device
New device immediately performs privileged or unusual operations, suggesting an attacker using stolen tokens or passwords to establish foothold.
  • Monitor first-use device behavior patterns
  • High-risk actions immediately after enrollment
  • Correlate with privilege escalation attempts
3
Sudden Behavioral Shift
Identity exhibiting predictable patterns suddenly accesses admin portals, enumerates resources, or downloads bulk data representing outlier profile deviation.
  • Baseline normal activity patterns
  • Detect statistical deviations in operations
  • Flag privilege boundary violations
Network & Access Pattern Indicators
Unusual ASN or Cloud Provider
Authentication from cloud compute IPs, anonymization networks, or unknown autonomous system numbers—common APT and operator patterns.
Dormant Identity Activation
Previously inactive identity suddenly becomes active, especially concerning for privileged accounts. Strong persistence indicator linked to BP-041 through BP-046.
Failed-to-Success Login Pattern
Rapid sequence of failed authentication attempts followed by sudden success, indicating password spray attacks or MFA fatigue exploitation.
Temporal Deviation
Account activity outside normal business hours, on weekends, or holidays. Indicates automation, initial access broker credential use, or active operator sessions.
Post-Authentication Risk Signals
1
Immediate Sensitive Operations
High-value actions within seconds of sign-in: PIM elevation, app role activation, secret retrieval. Suggests automated or scripted attacker behavior.
2
Excessive Reset Attempts
Repeated password or MFA reset attempts indicating early-stage compromise combined with persistence establishment efforts.
3
Authorization Activity Spike
Unexpected approval of OAuth apps, permissions, or delegated scopes linked to phishing and application impersonation attacks.

Detection Priority
Post-authentication signals provide critical visibility into attacker actions after initial compromise. Monitor the time delta between authentication and sensitive operations—automated tools operate in milliseconds.
Advanced Identity Abuse Patterns
1
Non-Interactive Sign-In
Identity suddenly used via API or automation tool from unknown application or user agent. Indicates token abuse or service principal impersonation.
2
Cross-Platform Misalignment
Identity behavior diverges across Azure, SaaS platforms, and AWS environments. Strong signal of lateral movement using compromised identity.
3
Geographic Stability Disruption
Identity with historically stable geographic pattern suddenly authenticates from high-risk region associated with advanced persistent threat actors.
4
Session Duration Outlier
Abnormally short sessions suggest automated tooling; exceptionally long sessions indicate token hijacking and persistent session maintenance.
5
Unusual Authentication Method
Identity authenticates using previously unused SSO or authentication method, suggesting federation downgrade or operator testing of login surfaces.
Identity Attack Chain Mapping
Behavioral and outlier signals provide detection coverage across multiple stages of the Identity Attack Chain, with particular strength in early-stage compromise identification.
1
Stage 2: Enumeration
Behavioral signals detect reconnaissance activities as attackers probe identity systems and map organizational structure.
2
Stage 3: Credential Acquisition
Anomalous authentication patterns reveal credential harvesting, password spraying, and phishing campaign success.
3
Stage 4: Authentication Abuse
Impossible travel, device anomalies, and temporal deviations expose unauthorized authentication events.
4
Stage 6: Token Tampering
Session outliers and non-interactive sign-ins indicate token manipulation and abuse.
5
Stage 7: Lateral Movement
Cross-platform behavioral misalignment and sudden privilege escalation reveal attacker progression.
Related Breach Patterns & Dependencies
Common Identity Breach Patterns
  • BP-005: Valid Username Harvesting
  • BP-010: Password Spray Attacks
  • BP-013: Cookie Theft
  • BP-028: Token Replay
  • BP-032: Session Sync Hijacking
  • BP-040: Cross-Cloud Exfiltration
Misconfiguration Dependencies
Behavioral detection effectiveness is often undermined by identity misconfigurations that hide telemetry or enable attacker evasion:
  • MC-001: Identity exposure
  • MC-018/019: Legacy authentication protocols
  • MC-076: Weak network segmentation
  • MC-231: Conditional Access and MFA gaps
  • MC-452: Session governance failures
Analyst Intelligence Brief
Behavioral signals represent the highest-value early warnings in modern identity threat detection. They detect compromise before privilege escalation occurs and reveal identity misuse even when attackers successfully evade multi-factor authentication.
Pre-Escalation Detection
Identify compromised identities before attackers achieve privilege escalation or establish persistent access. Time-to-detection measured in minutes, not days.
Automation Pattern Recognition
Catch bot-driven lateral movement and automated tooling through timing analysis, session duration anomalies, and scripted operation sequences.
Multi-Platform Coverage
Behavioral signals map cleanly across cloud providers and SaaS platforms, providing unified detection coverage regardless of infrastructure complexity.
Implementation Considerations
Baseline Establishment
Implement minimum 30-day behavioral baseline per identity. Account for role-based patterns, shift workers, and legitimate geographic mobility. Update baselines quarterly.
Tuning Strategy
Begin with high-confidence signals like impossible travel and dormant account activation. Gradually introduce context-dependent detections as false positive rates stabilize below 5%.
Integration Requirements
Correlate identity telemetry across Azure AD, AWS IAM, Okta, and application logs. Enrich with threat intelligence feeds covering ASN reputation and anonymization networks.
Response Playbooks
Define graduated response procedures: session termination, MFA re-challenge, account lockdown, and forensic collection. Automate high-confidence scenarios while preserving analyst review for edge cases.
Category A behavioral signals form the foundation of modern identity threat detection programs. Deploy these detections as your first line of defense against identity-based attacks.
About
Created by Claudiu Tabac — © 2026
This framework is open for educational and research use. Commercial use without explicit permission from the author is not allowed.