| CPC H04L 63/1416 (2013.01) [H04L 63/0853 (2013.01); H04L 63/10 (2013.01); H04L 63/1491 (2013.01)] | 17 Claims |
|
1. A computer-implemented method for intrusion detection in a remote computing resource system, the method comprising:
providing a user interface (UI) by way of the remote computing resource system, the UI identifying a plurality of tenant resource modules provisioned in the remote computing resource system for a tenant of the remote computing resource system to provide resources for the tenant, wherein the tenant resource modules provisioned for the tenant of the remote computing resource system comprise one or more of a key vault, a virtual machine, an application service, an application programming interface, or a domain directory;
receiving a selection by way of the UI of one or more of the plurality of tenant resource modules to be configured for intrusion detection;
responsive to receiving the selection by way of the UI, for the tenant resource modules selected in the UI,
allocating provisioned resources having corresponding access credentials,
deploying the corresponding access credentials in respective tenant resource modules, and
creating one or more data entries in a token mapping store, the data entries providing a mapping between the tenant, the corresponding access credentials and the identified tenant resource modules in which the corresponding access credentials were deployed;
scanning one or more access logs for the remote computing resource system to detect one or more resource access attempts, each access attempt including an access credential for the access attempt; and
for each resource access attempt,
searching the token mapping store for a matching data entry where the access credential of the data entry matches the access credential for the access attempt, and
if the matching data entry is found, generating an alert that identifies the identified resource module of the matching data entry.
|