Checklist Monitoring • detections • runbooks
High-signal detections.
A starter list of detections that catch common compromise patterns without drowning teams in noise. Treat this as a backlog and implement with runbooks and ownership.
Checklist
Detection backlog (starter)
Prioritize identity, privilege, and data access.
1. Identity anomalies
- New device login or new geo login for privileged users.
- MFA disabled, MFA reset, or repeated MFA failures.
- Impossible travel patterns and token reuse.
- Login from newly seen ASN or risky IP reputation.
2. Privilege and configuration changes
- Admin role granted or privileged group membership change.
- Cloud policy changes: wildcards added, new trust relationships.
- New access keys created, or service principals created unexpectedly.
- Security logging disabled or configuration drift on security controls.
3. Data access and exfil patterns
- Large export/download spikes or unusual query volumes.
- New integration pulling data at high rate.
- Access to sensitive datasets outside business hours.
4. Admin and support tooling abuse
- Support override used, especially without ticket references.
- Account recovery actions performed by support or admin.
- Bulk user changes or role grants via internal tools.
5. Application abuse signals
- Brute force and credential stuffing signals.
- Rate limit bypass patterns and repeated auth errors.
- Suspicious API usage on sensitive endpoints.
Want these detections implemented with ownership?
We can help map log coverage, build detections, add runbooks, and hand off operations cleanly. Lex supports teams in India and globally.