This document outlines the identified threat detection gaps across Cloud, SaaS, Kubernetes, and network proxy environments. It details missing coverage areas, prioritized by criticality, including advanced persistent threat (APT) techniques such as Golden SAML attacks, proxy-level Command and Control (C2) communication, and defense evasion tactics.
Coverage Baseline
Our current detection posture maintains strong baseline coverage for basic AWS/Azure/GCP operations (~97 active rules) and extensive network coverage for firewall events, IDS/IPS, and common web attacks (~200+ active rules). The gaps documented below represent advanced bypasses, specific C2 frameworks, and sophisticated persistence mechanisms.
Cloud & SaaS Detection Gaps
While standard administrative actions are well-monitored, significant blind spots exist around identity federation, defense evasion (alert suppression), Azure AD-specific persistence, and container/Kubernetes attacks.
[Unknown component: div]
Critical Priority (Cloud)
These gaps represent immediate, high-impact risks that are actively exploited by advanced threat actors (e.g., SolarWinds attack vectors, ransomware preparation).
Golden SAML & Federation Risks
Gaps C1, C2, and C6 represent the complete lifecycle of a Golden SAML attack. Without these detections, an attacker who compromises the on-premise AD FS infrastructure can forge SAML tokens to bypass MFA and access any cloud service indefinitely.
High Priority (Cloud)
AWS: GetSigninToken abuse (T1550.001), ECS credential theft (T1525), Glue privesc (T1078.004), Snapshot exfiltration (T1537), SSM SendCommand (T1566), Lambda URL creation (T1078.004), RDS public restore (T1020), TruffleHog scanning (T1555).
Azure/K8s: K8s events deleted (T1562.001), K8s admission controller injection (T1078.004), K8s secret access (T1485), LAPS credential dump (T1098.005), Bulk role changes (T1098).
GCP: Break-glass container deployed (T1548), DLP re-identification (T1565), Packet capture (T1074), K8s admission controller mod (T1078.004), Workspace MFA disabled (T1556).
M365: Data exfiltration to unsanctioned apps (T1537), PST export (T1114), OAuth app mass file downloads (T1530).
Network, Web & Proxy Detection Gaps
While traditional web attacks (SQLi, XSS) are well covered, the primary blind spots exist in proxy-level C2 detection, malware-specific User-Agent strings, and Out-of-Band (OOB) DNS interactions.
Critical Priority (Network)
These rules focus on catching Command and Control (C2) frameworks before they drop encrypted payloads, relying on known infrastructure patterns and User-Agent anomalies.
Rclone Exfiltration (N7)
Rclone is highly favored by Ransomware-as-a-Service (RaaS) affiliates for rapid data exfiltration to cloud storage providers (Mega, Dropbox, S3) prior to encryption. Detecting the specific Rclone User-Agent at the proxy level is often the last line of defense before data loss occurs.
High Priority (Network)
Downloads: Executables from suspicious TLDs (.xyz, .top, .tk, .zip) (T1566).
C2 & Infrastructure: NKN blockchain C2 via seed nodes (T1071), WannaCry killswitch active infection indicator (T1071.001), PwnDrop file hosting (T1102), Baby Shark C2 default agent URLs (T1071.001).
Anomalous User Agents: Suspicious/malformed UAs (typos like "Mozila", CertUtil, truncated UAs), PowerShell UAs (
WindowsPowerShell/), Crypto miner UAs (XMRig/CCMiner), and Base64 encoded UAs.
Remediation Workflow
To close these detection gaps, follow this deployment pipeline to integrate the missing Sigma rules into your SIEM/Detection engine.
Use the sigma-cli to translate the identified .yml rules into your target SIEM query language (e.g., Splunk SPL, KQL, Elastic Query).
sigma plugin install splunk
sigma convert -t splunk -p sysmon rules/cloud/aws/cloudtrail/aws_susp_saml_activity.ymlEnsure the prerequisite log sources are actively ingesting. For example, rule C1 requires AWS CloudTrail logs, while rule N4 requires Web Proxy logs with the User-Agent field parsed.
Deploy the translated queries as saved searches without active alerting. Monitor for 7-14 days to establish a baseline and tune out environmental false positives (e.g., legitimate administrative scripts using BITSAdmin).
Once tuned, promote the rules to active alerts. Prioritize Critical rules (C1-C10, N1-N7) for immediate paging, and route High/Medium rules to informational dashboards or threat hunting queues.