Recent cybersecurity incidents attributed to UNC6395 and UNC6040 have highlighted a significant and top-of-mind breach concern for organizations worldwide. These attackers have seemingly sophisticated techniques for exploiting systems; but took advantage of how people trust OAuth approvals, third-party integrations, and app access. Their tactics, techniques, and procedures (TTPs) often involve abuse of valid app tokens, automated data exfiltration, lateral SaaS exposure, and credential harvest. The impact of these supply-chain attacks, from intellectual property theft to sensitive customer data exposure, call for robust security measures that can detect and prevent such silent, persistent threats.

AppOmni: Proactive Detection and Prevention

Campaigns like UNC6395 and UNC6040 reveal a critical gap in traditional security strategies. They often overlook the growing web of OAuth connections, third-party integrations, and other complexities within the modern SaaS ecosystem.

AppOmni helps close that gap. Our platform provides deep, continuous visibility into your SaaS applications, helping you detect and prevent data loss, lateral movement, and unauthorized access from attackers.

Here’s how AppOmni helps you take control:

• Discover your full SaaS attack surface: Automatically inventory connected SaaS applications, both sanctioned and unsanctioned, to eliminate blind spots. Restrict users’ ability to grant OAuth permissions and reduce the sprawl attackers exploit for initial access. 
• Continuously govern app permissions: Monitor and restrict OAuth scopes, IP access, and integration behavior. Prevent overpermissioned or risky apps from creating pathways to sensitive data.
• Analyze behavior to detect threats: Normalize SaaS activity logs, build baselines, and detect anomalies like mass downloads, off-hours access, or token use from unusual locations.

With AppOmni, security teams gain the insights and controls needed to stay ahead of sophisticated SaaS threats, reducing the attack surface, improving response times, and helping prevent breaches before damage is done.

SaaS Data Control and Optimization with Cribl Stream

The integration with Cribl Stream provides organizations with unparalleled choice and control over their security data. Cribl Stream allows organizations to process, enrich, and route data in an optimized format to any desired destinations.

Key benefits include:

• Data Optimization: Cribl Stream can filter, reduce, and transform data, ensuring that only relevant and optimized information is sent to downstream security tools or storage, reducing costs and improving efficiency.
• Flexible Routing: Data can be sent to various destinations simultaneously, such as security information and event management (SIEM) systems, data lakes, or analytics platforms, based on specific use cases and compliance needs.
• Vendor Agnosticism: This capability gives customers the flexibility to choose the best-of-breed security tools without being locked into a single vendor’s ecosystem for data ingestion and routing.

Enhancing Incident Response with Cribl Cloud

Cribl Cloud paired with AppOmni’s valuable SaaS telemetry data help strengthen an organization’s security posture and incident response capabilities.  Leveraging Cribl Lake as a destination for this data allows for a comprehensive historical record of security events. Cribl Search empowers incident responders with fast, federated queries across Cribl Lake, data lakes, REST APIs, popular databases, and SIEMs, enabling rapid investigation without data movement. It unifies diverse data sources into a single search workflow for faster, more effective response. Additional benefits include: 

• Forensic Analysis: In the event of an incident, security teams can leverage this rich dataset to conduct thorough forensic investigations, understanding the scope and impact of the breach.
• Compliance and Auditing: Long-term storage in Cribl Lake helps organizations simplify compliance audits by providing a searchable trail of security activities.

Furthermore, making this data available in Cribl Search allows security analysts to query historical information effectively, looking back for indicators of compromise (IOCs) and anomalous activities related to UNC6395/UNC6040 exploits. This capability is invaluable for:

• Incident Triage: Quickly identifying the origin and progression of an attack.
• Threat Hunting: Proactively searching for signs of advanced threats that might have evaded initial detection.
• Root Cause Analysis: Understanding the underlying vulnerabilities that led to a breach, enabling more effective future prevention.

Together, AppOmni and Cribl deliver deep SaaS visibility + smart data management—a powerful combination that helps teams stay ahead of evolving threats, meet compliance goals, and reduce SaaS risk exposure.

UNC6395 and UNC6040 remind us that SaaS isn’t just another attack vector—it’s now the operating system of the enterprise. With AppOmni and Cribl, organizations get visibility, control, and insights that are essential to protecting business-critical SaaS environments from modern threats.

Don’t wait to detect. Design your SaaS security program to prevent.