T1078.004 Cloud Accounts Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1078.004 - Cloud Accounts: Detect suspicious cloud account usage patterns
// Covers: impossible travel, new country logins, legacy auth, service principal abuse, and suspicious MFA patterns
let LookbackPeriod = 24h;
let SuspiciousCountries = dynamic(["KP", "IR", "RU", "CN", "BY"]);
let LegacyAuthClients = dynamic([
  "IMAP", "POP3", "SMTP", "BasicAuth", "ExchangeActiveSync",
  "AutoDiscover", "Exchange Web Services", "Office Protocol",
  "Authenticated SMTP", "Outlook Anywhere"
]);
// Section 1: Suspicious sign-ins from unusual locations or legacy auth
let SuspiciousSignins = SigninLogs
| where TimeGenerated > ago(LookbackPeriod)
| where ResultType == 0  // Successful sign-in
| extend Country = tostring(LocationDetails.countryOrRegion)
| extend City = tostring(LocationDetails.city)
| extend ClientApp = tostring(ClientAppUsed)
| extend IsLegacyAuth = ClientApp has_any (LegacyAuthClients)
| extend IsSuspiciousCountry = Country in (SuspiciousCountries)
| extend IsHighRisk = RiskLevelDuringSignIn in ("high", "medium")
| extend IsMFANotPerformed = AuthenticationRequirement == "singleFactorAuthentication" and ConditionalAccessStatus != "notApplied"
| where IsLegacyAuth or IsSuspiciousCountry or IsHighRisk or IsMFANotPerformed
| project TimeGenerated, UserPrincipalName, UserId, AppDisplayName, IPAddress,
          Country, City, ClientApp, IsLegacyAuth, IsSuspiciousCountry,
          IsHighRisk, IsMFANotPerformed, RiskLevelDuringSignIn,
          ConditionalAccessStatus, UserAgent, CorrelationId;
// Section 2: Service Principal sign-ins outside expected patterns
let SPSignins = AADServicePrincipalSignInLogs
| where TimeGenerated > ago(LookbackPeriod)
| where ResultType == 0
| summarize SigninCount = count(), UniqueIPs = dcount(IPAddress), IPList = make_set(IPAddress, 10)
    by ServicePrincipalName, ServicePrincipalId, AppId, bin(TimeGenerated, 1h)
| where UniqueIPs > 3  // Service principals should use consistent IPs
| extend AlertReason = "Service principal authenticating from multiple IPs"
| project TimeGenerated, ServicePrincipalName, ServicePrincipalId, AppId,
          SigninCount, UniqueIPs, IPList, AlertReason;
// Output suspicious user sign-ins
SuspiciousSignins
| sort by TimeGenerated desc

high severity high confidence

Data Sources

Logon Session: Logon Session Creation User Account: User Account Authentication Application Log: Application Log Content Microsoft Entra ID Sign-In Logs Azure AD Identity Protection

Required Tables

SigninLogs AADServicePrincipalSignInLogs

False Positives

Legitimate business travelers or remote workers authenticating from foreign countries or new locations for the first time
Legacy applications or shared mailbox access that legitimately use basic authentication protocols not yet migrated to modern auth
Service principals deployed across multi-region infrastructure may authenticate from multiple IP addresses legitimately
Helpdesk or break-glass accounts accessed from admin workstations in unusual locations during incident response
VPN or proxy usage causing sign-ins to appear from unexpected geographic locations

Splunk

spl

index=azure_monitor_aad sourcetype="azure:monitor:aad" category="SignInLogs"
| spath output=ResultType path=properties.status.errorCode
| spath output=UserPrincipalName path=properties.userPrincipalName
| spath output=AppDisplayName path=properties.appDisplayName
| spath output=IPAddress path=properties.ipAddress
| spath output=ClientApp path=properties.clientAppUsed
| spath output=Country path=properties.location.countryOrRegion
| spath output=City path=properties.location.city
| spath output=RiskLevel path=properties.riskLevelDuringSignIn
| spath output=AuthRequirement path=properties.authenticationRequirement
| spath output=ConditionalAccess path=properties.conditionalAccessStatus
| spath output=UserAgent path=properties.userAgent
| where ResultType="0"
| eval IsLegacyAuth=if(match(lower(ClientApp), "(imap|pop3|smtp|basicauth|exchange activesync|autodiscover|exchange web services|authenticated smtp|outlook anywhere)"), 1, 0)
| eval IsSuspiciousCountry=if(Country IN ("KP", "IR", "RU", "CN", "BY"), 1, 0)
| eval IsHighRisk=if(RiskLevel IN ("high", "medium"), 1, 0)
| eval IsMFABypassed=if(AuthRequirement="singleFactorAuthentication" AND ConditionalAccess!="notApplied", 1, 0)
| eval RiskScore=IsLegacyAuth + IsSuspiciousCountry + IsHighRisk + IsMFABypassed
| where RiskScore > 0
| eval RiskFactors=mvappend(
    if(IsLegacyAuth=1, "LegacyAuth", null()),
    if(IsSuspiciousCountry=1, "SuspiciousCountry:".Country, null()),
    if(IsHighRisk=1, "HighRisk:".RiskLevel, null()),
    if(IsMFABypassed=1, "MFABypassed", null())
  )
| table _time, UserPrincipalName, AppDisplayName, IPAddress, Country, City, ClientApp, RiskFactors, RiskScore, AuthRequirement, ConditionalAccess, UserAgent
| sort - RiskScore _time

high severity high confidence

Data Sources

Logon Session: Logon Session Creation User Account: User Account Authentication Azure AD Sign-In Logs via Azure Monitor

Required Sourcetypes

azure:monitor:aad

False Positives

Legitimate business travelers or remote workers authenticating from foreign countries
Legacy applications using basic authentication that have not yet been migrated to modern auth protocols
VPN or proxy infrastructure causing geographic misattribution of sign-in source
Shared service accounts used by automation pipelines from multiple data center IPs
Break-glass or emergency access accounts used during major incidents from non-standard locations

Elastic Security (EQL)

eql

any where event.dataset == "azure.signinlogs"
  and azure.signinlogs.properties.status.error_code == "0"
  and (
    azure.signinlogs.properties.location.country_or_region in ("KP", "IR", "RU", "CN", "BY") or
    azure.signinlogs.properties.client_app_used like~ ("*IMAP*", "*POP3*", "*SMTP*", "*BasicAuth*", "*ExchangeActiveSync*", "*AutoDiscover*", "*Exchange Web Services*", "*Authenticated SMTP*", "*Outlook Anywhere*") or
    azure.signinlogs.properties.risk_level_during_sign_in in ("high", "medium") or
    (
      azure.signinlogs.properties.authentication_requirement == "singleFactorAuthentication" and
      azure.signinlogs.properties.conditional_access_status != "notApplied"
    )
  )

high severity medium confidence

Data Sources

Azure Active Directory Sign-In Logs via Elastic Azure integration

Required Tables

azure.signinlogs

False Positives

Legitimate users traveling to or working in Russia, China, or other flagged countries accessing corporate resources via authorized VPN or from a local ISP
Approved legacy applications (monitoring tools, printers, old email clients) using Basic Auth or SMTP AUTH that are on an exemption list during an OAuth migration window
Microsoft Identity Protection false positives elevating risk scores for users authenticating from new devices, fresh browser profiles, or unfamiliar but legitimate corporate networks

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
  username AS UserPrincipalName,
  sourceip AS IPAddress,
  LOGSOURCENAME(logsourceid) AS LogSource,
  "Application" AS AppDisplayName,
  "CountryOrRegion" AS Country,
  "ClientAppUsed" AS ClientApp,
  "RiskLevelDuringSignIn" AS RiskLevel,
  "AuthenticationRequirement" AS AuthRequirement,
  "ConditionalAccessStatus" AS ConditionalAccess,
  CASE
    WHEN "CountryOrRegion" IN ('KP','IR','RU','CN','BY') THEN 'SuspiciousCountry'
    WHEN LOWER("ClientAppUsed") MATCHES '(?i)(imap|pop3|smtp|basicauth|exchange.?activesync|autodiscover|exchange.?web.?services|authenticated.?smtp|outlook.?anywhere)' THEN 'LegacyAuth'
    WHEN "RiskLevelDuringSignIn" IN ('high','medium') THEN 'HighRisk'
    ELSE 'MFABypassed'
  END AS PrimaryAlertReason
FROM events
WHERE
  LOGSOURCETYPEID(devicetype) = 452
  AND (
    "CountryOrRegion" IN ('KP', 'IR', 'RU', 'CN', 'BY')
    OR LOWER("ClientAppUsed") MATCHES '(?i)(imap|pop3|smtp|basicauth|exchange.?activesync|autodiscover|exchange.?web.?services|authenticated.?smtp|outlook.?anywhere)'
    OR "RiskLevelDuringSignIn" IN ('high', 'medium')
    OR ("AuthenticationRequirement" = 'singleFactorAuthentication' AND "ConditionalAccessStatus" != 'notApplied')
  )
  AND starttime > NOW() - 86400000
ORDER BY starttime DESC

high severity medium confidence

Data Sources

Microsoft Azure Active Directory DSM for IBM QRadar

Required Tables

events

False Positives

Security operations staff using VPN endpoints with exit nodes in flagged countries during threat intelligence research, red team simulations, or geo-testing exercises
Service accounts using SMTP AUTH for alerting pipelines or monitoring systems that are documented and approved in the change management system
Users behind carrier-grade NAT or CDN reverse-proxy exit nodes whose source IP resolves to a flagged country despite the user being physically located elsewhere

Sumo Logic CSE

sql

_sourceCategory=azure/aad/signin
| json "properties.status.errorCode" as error_code nodrop
| json "properties.userPrincipalName" as user nodrop
| json "properties.ipAddress" as src_ip nodrop
| json "properties.clientAppUsed" as client_app nodrop
| json "properties.location.countryOrRegion" as country nodrop
| json "properties.riskLevelDuringSignIn" as risk_level nodrop
| json "properties.authenticationRequirement" as auth_req nodrop
| json "properties.conditionalAccessStatus" as ca_status nodrop
| json "properties.appDisplayName" as app_name nodrop
| json "properties.userAgent" as user_agent nodrop
| where error_code = "0"
| where country in ("KP","IR","RU","CN","BY")
    OR client_app matches /(?i)(imap|pop3|smtp|basicauth|exchange.?activesync|autodiscover|exchange.?web.?services|authenticated.?smtp|outlook.?anywhere)/
    OR risk_level in ("high","medium")
    OR (auth_req = "singleFactorAuthentication" AND ca_status != "notApplied")
| if(country in ("KP","IR","RU","CN","BY"), "SuspiciousCountry", "") as flag_country
| if(client_app matches /(?i)(imap|pop3|smtp|basicauth|exchange.?activesync)/, "LegacyAuth", "") as flag_legacy
| if(risk_level in ("high","medium"), concat("HighRisk:",risk_level), "") as flag_risk
| if(auth_req = "singleFactorAuthentication" AND ca_status != "notApplied", "MFABypassed", "") as flag_mfa
| concat(flag_country, " ", flag_legacy, " ", flag_risk, " ", flag_mfa) as risk_factors
| fields _messageTime, user, src_ip, app_name, country, client_app, risk_level, auth_req, ca_status, risk_factors
| sort by _messageTime desc

high severity medium confidence

Data Sources

Azure Active Directory Diagnostic Logs forwarded to Sumo Logic via Azure Event Hub or HTTP Source

Required Tables

_sourceCategory=azure/aad/signin

False Positives

B2B partner or vendor accounts from organizations physically headquartered in Russia, China, or Iran that are legitimate business relationships with approved access
Penetration testing accounts intentionally authenticating through country-specific VPN endpoints during a scheduled and documented security assessment
Cloud-native service accounts not yet migrated to certificate-based or managed identity authentication that use approved legacy protocols for compatibility with older integrations

Google Chronicle / SecOps

yaral

rule t1078_004_cloud_accounts_suspicious_signin {
  meta:
    author = "Detection Engineering"
    description = "T1078.004 - Cloud Accounts: Detects suspicious Azure AD / Entra ID sign-ins including legacy auth protocol usage, logins from high-risk countries, elevated identity risk scores, and single-factor auth where conditional access policy was applied"
    mitre_attack_technique = "T1078.004"
    mitre_attack_tactic = "Initial Access, Persistence, Privilege Escalation, Defense Evasion"
    severity = "HIGH"
    confidence = "MEDIUM"
    created = "2024-01-01"

  events:
    $e.metadata.event_type = "USER_LOGIN"
    $e.security_result.action = "ALLOW"
    $e.metadata.vendor_name = "Microsoft"
    $e.target.user.userid != ""

    (
      $e.principal.location.country_or_region in %cloud_suspicious_countries
      or re.regex($e.network.http.user_agent, `(?i)(imap|pop3|smtp auth|basicauth|exchange.?activesync|autodiscover|exchange.?web.?services|authenticated.?smtp|outlook.?anywhere)`)
      or $e.security_result.risk_score >= 50
      or $e.security_result.severity = "HIGH"
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Microsoft Entra ID (Azure AD) via Chronicle Google SecOps Microsoft 365 integration Microsoft 365 Audit Logs

Required Tables

UDM Events (event_type: USER_LOGIN) Reference List: cloud_suspicious_countries

False Positives

Diplomatic staff, journalists, or government contractors authenticating from embassy or office networks physically located in flagged countries
Risk score inflation caused by legitimate users completing MFA device enrollment, registering a new hardware token, or signing in from a newly provisioned corporate device for the first time
Single-factor authentication flows for service accounts or shared mailboxes explicitly excluded from MFA conditional access scope via approved policy exception documented in the IAM system

CrowdStrike LogScale (CQL)

cql

// CrowdStrike Falcon Identity Protection - Cloud Account Suspicious Sign-in
// Targets Azure AD / Entra ID events ingested via Falcon Identity connector
#event_simpleName = /IdpSso|SsoApplicationAccess|CloudAccountLogin|OAuthTokenCreated/i
| TargetUserName != ""
| ResultCode = "0" OR AuthStatus = /success/i
| isLegacyAuth := regex("(?i)(imap|pop3|smtp auth|basicauth|exchange.?activesync|autodiscover|exchange.?web.?services|authenticated.?smtp|outlook.?anywhere)", field=ClientAppUsed, strict=false)
| isSuspiciousCountry := CountryCode in ["KP", "IR", "RU", "CN", "BY"]
| isHighRisk := RiskLevel in ["high", "medium"]
| isMFABypassed := AuthenticationRequirement = "singleFactorAuthentication" AND ConditionalAccessStatus != "notApplied"
| isLegacyAuth = true OR isSuspiciousCountry = true OR isHighRisk = true OR isMFABypassed = true
| riskScore := if(isLegacyAuth, 1, 0) + if(isSuspiciousCountry, 1, 0) + if(isHighRisk, 1, 0) + if(isMFABypassed, 1, 0)
| riskFactors := format("%s%s%s%s",
    if(isLegacyAuth, "LegacyAuth ", ""),
    if(isSuspiciousCountry, format("SuspiciousCountry:%s ", CountryCode), ""),
    if(isHighRisk, format("HighRisk:%s ", RiskLevel), ""),
    if(isMFABypassed, "MFABypassed", "")
  )
| table([_time, TargetUserName, SourceIPAddress, CountryCode, ClientAppUsed, RiskLevel, AuthenticationRequirement, ConditionalAccessStatus, riskScore, riskFactors])
| sort(field=_time, order=desc)

high severity low confidence

Data Sources

CrowdStrike Falcon Identity Protection Falcon Data Replicator (FDR) Azure AD connector events

Required Tables

#event_simpleName: IdpSso, SsoApplicationAccess, CloudAccountLogin, OAuthTokenCreated

False Positives

IAM team test accounts used for Entra ID conditional access policy validation and Falcon Identity connector health checks that intentionally trigger sign-in anomalies
Cloud workloads using managed identities or service principals that acquire tokens via single-factor flows as part of the approved application architecture with no MFA requirement by design
Users whose identity risk score elevates due to shared corporate egress IP reputation changes affecting many users simultaneously, causing bulk false positive alerts

Cloud Accounts

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections