T1199

Trusted Relationship

Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third-party relationships abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. These relationships include IT services contractors, managed security providers, and infrastructure contractors. In Office 365 and Azure AD environments, organizations may grant Microsoft partners or resellers delegated administrator permissions. By compromising a partner or reseller account, an adversary may be able to leverage existing delegated administrator relationships or send new delegated administrator offers to clients in order to gain administrative control over the victim tenant.

Microsoft Sentinel / Defender

kusto

// Detect suspicious trusted relationship abuse — delegated admin grants, cross-tenant access, and service provider account anomalies
let SensitiveOperations = dynamic([
    "Add delegated permission grant",
    "Add partner to cross-tenant access setting",
    "Add policy to cross-tenant access setting",
    "Set partner information",
    "Add member to role",
    "Add app role assignment to service principal",
    "Add service principal"
]);
let SuspiciousRoles = dynamic([
    "Global Administrator",
    "Privileged Role Administrator",
    "Exchange Administrator",
    "SharePoint Administrator",
    "Security Administrator",
    "Helpdesk Administrator",
    "User Administrator"
]);
// Part 1: New delegated admin relationship grants and partner configuration changes
AuditLogs
| where TimeGenerated > ago(24h)
| where OperationName in (SensitiveOperations)
| extend InitiatorUPN = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatorIP = tostring(InitiatedBy.user.ipAddress)
| extend InitiatorAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatorAppId = tostring(InitiatedBy.app.appId)
| extend TargetName = tostring(TargetResources[0].displayName)
| extend TargetType = tostring(TargetResources[0].type)
| extend TargetId = tostring(TargetResources[0].id)
| extend ModProps = tostring(TargetResources[0].modifiedProperties)
| where Result =~ "success"
| extend EventCategory = "DelegatedAdminGrant"
| project TimeGenerated, EventCategory, OperationName, InitiatorUPN, InitiatorIP,
          InitiatorAppName, InitiatorAppId, TargetName, TargetType, TargetId,
          ModProps, Result, CorrelationId
| union kind=outer (
    // Part 2: Cross-tenant sign-ins by external service providers accessing privileged resources
    SigninLogs
    | where TimeGenerated > ago(24h)
    | where ResultType == 0
    | where CrossTenantAccessType != "none" and isnotempty(CrossTenantAccessType)
    | where ResourceTenantId != HomeTenantId
    | extend IsPrivilegedApp = AppDisplayName has_any ("Exchange", "SharePoint", "Teams", "Security", "Compliance", "Azure Active Directory", "Graph")
    | where IsPrivilegedApp == true
    | extend EventCategory = "CrossTenantPrivilegedAccess"
    | project TimeGenerated, EventCategory,
              OperationName = strcat("Cross-Tenant Sign-In via ", CrossTenantAccessType),
              InitiatorUPN = UserPrincipalName,
              InitiatorIP = IPAddress,
              InitiatorAppName = AppDisplayName,
              InitiatorAppId = AppId,
              TargetName = ResourceDisplayName,
              TargetType = "Application",
              TargetId = ResourceTenantId,
              ModProps = tostring(DeviceDetail),
              Result = "Success",
              CorrelationId
)
| union kind=outer (
    // Part 3: Privileged role assignments to external/guest accounts (often MSP onboarding step)
    AuditLogs
    | where TimeGenerated > ago(24h)
    | where OperationName in ("Add member to role", "Add eligible member to role")
    | extend InitiatorUPN = tostring(InitiatedBy.user.userPrincipalName)
    | extend InitiatorIP = tostring(InitiatedBy.user.ipAddress)
    | extend TargetUPN = tostring(TargetResources[0].userPrincipalName)
    | extend RoleName = tostring(TargetResources[1].displayName)
    | where RoleName in (SuspiciousRoles)
    | where TargetUPN contains "#EXT#" or TargetUPN contains "_" // Guest/external account patterns
    | where Result =~ "success"
    | extend EventCategory = "ExternalAccountPrivilegedRoleGrant"
    | project TimeGenerated, EventCategory,
              OperationName = strcat("Role Grant: ", RoleName, " to external account"),
              InitiatorUPN, InitiatorIP,
              InitiatorAppName = "",
              InitiatorAppId = "",
              TargetName = TargetUPN,
              TargetType = "User",
              TargetId = tostring(TargetResources[0].id),
              ModProps = RoleName,
              Result = "Success",
              CorrelationId
)
| sort by TimeGenerated desc

high severity medium confidence

Data Sources

Azure Active Directory: AuditLogs Azure Active Directory: SigninLogs Identity: User Account

Required Tables

AuditLogs SigninLogs

False Positives

Legitimate MSP or IT service provider onboarding — new partner relationships being established with proper change management approval will trigger delegated admin grant events
Authorized Azure AD B2B guest user provisioning for vendors or contractors accessing collaboration tools like Teams or SharePoint
Microsoft first-party service accounts (e.g., Microsoft Support, Intune Service Principal) appearing as cross-tenant sign-ins when performing tenant management actions
Scheduled MSP maintenance windows where service provider accounts access privileged resources as part of contracted SLA obligations
Security team adding a MSSP or MDR provider with Global Reader or Security Reader role for monitoring purposes

Splunk

spl

// Detect trusted relationship abuse via Office 365 delegated admin grants and external service account logons
(
  sourcetype="o365:management:activity"
  (Operation="Add-RoleGroupMember" OR Operation="New-ManagementRoleAssignment" OR
   Operation="Add member to role." OR Operation="Consent to application." OR
   Operation="Add delegated permission grant." OR Operation="Add app role assignment to service principal.")
| eval EventCategory="DelegatedPermissionGrant"
| eval ActorUPN=coalesce(UserId, Actor{}.ID)
| eval TargetResource=coalesce(ObjectId, ModifiedProperties{}.NewValue)
| eval SourceIP=ClientIP
| table _time, EventCategory, Operation, ActorUPN, SourceIP, TargetResource, ResultStatus, OrganizationId
)
| append
[
  search sourcetype="o365:management:activity"
    (Operation="UserLoggedIn" OR Operation="UserLoginFailed")
    UserType=4
| eval EventCategory="ExternalUserAccess"
| eval ActorUPN=UserId
| eval SourceIP=ClientIP
| eval TargetResource=Workload
| eval IsAdmin=if(match(ActorUPN, "(?i)(admin|svc|msp|partner|vendor|managed)"), 1, 0)
| where IsAdmin=1 OR UserType=4
| table _time, EventCategory, Operation, ActorUPN, SourceIP, TargetResource, ResultStatus, UserType
]
| append
[
  search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624
    LogonType=3 NOT (SourceNetworkAddress="10.*" OR SourceNetworkAddress="172.16.*" OR
    SourceNetworkAddress="172.17.*" OR SourceNetworkAddress="172.18.*" OR
    SourceNetworkAddress="172.19.*" OR SourceNetworkAddress="172.20.*" OR
    SourceNetworkAddress="172.21.*" OR SourceNetworkAddress="172.22.*" OR
    SourceNetworkAddress="172.23.*" OR SourceNetworkAddress="172.24.*" OR
    SourceNetworkAddress="172.25.*" OR SourceNetworkAddress="172.26.*" OR
    SourceNetworkAddress="172.27.*" OR SourceNetworkAddress="172.28.*" OR
    SourceNetworkAddress="172.29.*" OR SourceNetworkAddress="172.30.*" OR
    SourceNetworkAddress="172.31.*" OR SourceNetworkAddress="192.168.*" OR
    SourceNetworkAddress="127.*" OR SourceNetworkAddress="::1" OR SourceNetworkAddress="-")
| eval IsSvcAccount=if(match(TargetUserName, "(?i)(svc_|_svc|admin|mgmt|msp|vendor)"), 1, 0)
| where IsSvcAccount=1
| eval EventCategory="ExternalServiceAccountNetworkLogon"
| eval ActorUPN=TargetUserName
| eval SourceIP=SourceNetworkAddress
| eval TargetResource=ComputerName
| table _time, EventCategory, ActorUPN, SourceIP, TargetResource, TargetDomainName, LogonType
]
| eval SuspicionIndicators=0
| eval SuspicionIndicators=SuspicionIndicators + if(EventCategory="DelegatedPermissionGrant", 2, 0)
| eval SuspicionIndicators=SuspicionIndicators + if(EventCategory="ExternalUserAccess", 1, 0)
| eval SuspicionIndicators=SuspicionIndicators + if(EventCategory="ExternalServiceAccountNetworkLogon", 1, 0)
| eval SuspicionIndicators=SuspicionIndicators + if(match(ActorUPN, "(?i)(admin|global.admin|privileged)"), 1, 0)
| eval SuspicionIndicators=SuspicionIndicators + if(ResultStatus="Failed" OR ResultStatus="Failure", 1, 0)
| where SuspicionIndicators > 0
| sort - SuspicionIndicators, - _time
| table _time, EventCategory, Operation, ActorUPN, SourceIP, TargetResource, SuspicionIndicators

high severity medium confidence

Data Sources

Office 365 Management Activity API Windows Security Event Log Azure Active Directory

Required Sourcetypes

o365:management:activity WinEventLog:Security

False Positives

Legitimate MSP onboarding creating new delegated admin grants — coordinate with IT management to build an allowlist of expected partner tenant IDs
Authorized service accounts from managed service providers performing scheduled maintenance over the network from their management IP ranges
Microsoft partner accounts with existing authorized GDAP or DAP relationships accessing tenant resources as part of contracted support
MSSP/MDR provider accounts logging into Office 365 security portals as part of a 24/7 monitoring engagement
Vendor or contractor accounts with B2B guest access accessing SharePoint or Teams for authorized project collaboration

Elastic Security (EQL)

eql

any where
  (
    event.dataset == "azure.auditlogs" and
    azure.auditlogs.operation_name in~ (
      "Add delegated permission grant",
      "Add partner to cross-tenant access setting",
      "Add policy to cross-tenant access setting",
      "Set partner information",
      "Add member to role",
      "Add app role assignment to service principal",
      "Add service principal"
    ) and
    azure.auditlogs.result == "success"
  ) or
  (
    event.dataset == "azure.signinlogs" and
    azure.signinlogs.properties.cross_tenant_access_type != "none" and
    azure.signinlogs.properties.cross_tenant_access_type != null and
    azure.signinlogs.properties.resource_display_name : ("*Exchange*", "*SharePoint*", "*Teams*", "*Security*", "*Compliance*", "*Graph*") and
    event.outcome == "success"
  ) or
  (
    event.category == "authentication" and
    event.action == "logged-in" and
    winlog.event_id == 4624 and
    winlog.event_data.LogonType == "3" and
    not source.ip : (
      "10.*", "172.16.*", "172.17.*", "172.18.*", "172.19.*",
      "172.20.*", "172.21.*", "172.22.*", "172.23.*", "172.24.*",
      "172.25.*", "172.26.*", "172.27.*", "172.28.*", "172.29.*",
      "172.30.*", "172.31.*", "192.168.*", "127.*", "::1"
    ) and
    user.name : ("*svc_*", "*_svc*", "*admin*", "*mgmt*", "*msp*", "*vendor*", "*partner*", "*managed*")
  )

high severity medium confidence

Data Sources

Azure Active Directory Audit Logs (azure.auditlogs) Azure AD Sign-In Logs (azure.signinlogs) Windows Security Event Log (winlog)

Required Tables

azure.auditlogs azure.signinlogs winlog (EventID 4624)

False Positives

Legitimate MSP or IT outsourcing partners being formally onboarded — delegated admin grant events fire during standard third-party provisioning workflows approved via change management
Scheduled automation or RPA service accounts performing network logons from cloud-hosted infrastructure (Azure Automation, GitHub Actions runners) with public IPs not in RFC1918 space
Corporate mergers or acquisitions where cross-tenant access is intentionally configured to allow Azure AD tenant integration, and authorized B2B guests access shared resources like SharePoint or Teams

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  QIDNAME(qid) AS event_name,
  username,
  sourceip,
  LOGSOURCENAME(logsourceid) AS log_source,
  CATEGORYNAME(category) AS log_category,
  'TrustedRelationshipAbuse' AS detection_category,
  payload
FROM events
WHERE devicetime > NOW() - 86400000
  AND (
    -- Arm 1: O365 delegated admin and partner configuration events
    (
      LOGSOURCETYPEID(devicetype) = 397
      AND LOWER(QIDNAME(qid)) IN (
        'add delegated permission grant',
        'add partner to cross-tenant access setting',
        'add policy to cross-tenant access setting',
        'set partner information',
        'add member to role',
        'add app role assignment to service principal',
        'add service principal'
      )
    )
    OR
    -- Arm 2: O365 external user (UserType=4) logon events
    (
      LOGSOURCETYPEID(devicetype) = 397
      AND LOWER(QIDNAME(qid)) IN ('userloggedin', 'userloginfailed')
      AND TEXT(payload) LIKE '%"UserType":4%'
    )
    OR
    -- Arm 3: Windows network logon from external IP by service/admin-named account
    (
      LOGSOURCETYPEID(devicetype) = 12
      AND qid = 4624
      AND TEXT(payload) LIKE '%LogonType=3%'
      AND NOT (
        sourceip STARTSWITH '10.' OR
        sourceip STARTSWITH '192.168.' OR
        sourceip STARTSWITH '172.16.' OR sourceip STARTSWITH '172.17.' OR
        sourceip STARTSWITH '172.18.' OR sourceip STARTSWITH '172.19.' OR
        sourceip STARTSWITH '172.20.' OR sourceip STARTSWITH '172.21.' OR
        sourceip STARTSWITH '172.22.' OR sourceip STARTSWITH '172.23.' OR
        sourceip STARTSWITH '172.24.' OR sourceip STARTSWITH '172.25.' OR
        sourceip STARTSWITH '172.26.' OR sourceip STARTSWITH '172.27.' OR
        sourceip STARTSWITH '172.28.' OR sourceip STARTSWITH '172.29.' OR
        sourceip STARTSWITH '172.30.' OR sourceip STARTSWITH '172.31.' OR
        sourceip = '127.0.0.1' OR sourceip = '::1'
      )
      AND (
        LOWER(username) LIKE '%svc%' OR LOWER(username) LIKE '%admin%' OR
        LOWER(username) LIKE '%msp%' OR LOWER(username) LIKE '%vendor%' OR
        LOWER(username) LIKE '%partner%' OR LOWER(username) LIKE '%mgmt%' OR
        LOWER(username) LIKE '%managed%'
      )
    )
  )
ORDER BY devicetime DESC

high severity medium confidence

Data Sources

Microsoft Office 365 DSM (QRadar LOGSOURCETYPEID 397) Microsoft Windows Security Event Log DSM (QRadar LOGSOURCETYPEID 12)

Required Tables

events

False Positives

Legitimate partner onboarding events where the IT department creates new delegated admin relationships with contracted MSPs or cloud migration consultants through an approved IAM process
Service accounts used by cloud-hosted monitoring, backup, or SIEM forwarders (e.g., Azure-based Sentinel connectors) that authenticate from non-RFC1918 IPs classified by QRadar as external
External auditors or penetration testers granted temporary guest access to Office 365 generating UserType=4 logon events during authorized assessment engagements

Sumo Logic CSE

sql

(_sourceCategory=*o365* OR _sourceCategory=*azure/audit* OR _sourceCategory=*windows/security*)
| parse "\"Operation\":\"*\"" as Operation nodrop
| parse "\"UserId\":\"*\"" as ActorUPN nodrop
| parse "\"ClientIP\":\"*\"" as SourceIP nodrop
| parse "\"UserType\":*," as UserType nodrop
| parse "\"ResultStatus\":\"*\"" as ResultStatus nodrop
| parse "EventCode=*" as EventCode nodrop
| parse "LogonType=*" as LogonType nodrop
| parse "TargetUserName=*" as TargetUserName nodrop
| parse "SourceNetworkAddress=*" as SourceNetworkAddress nodrop
| where (Operation in (
    "Add delegated permission grant",
    "Add partner to cross-tenant access setting",
    "Add policy to cross-tenant access setting",
    "Set partner information",
    "Add member to role",
    "Add app role assignment to service principal",
    "Add service principal"
  ))
  OR (EventCode = "4624" AND LogonType = "3")
  OR (UserType = "4" AND Operation in ("UserLoggedIn", "UserLoginFailed"))
| eval detection_type = if(
    Operation = "Add delegated permission grant"
    OR Operation contains "cross-tenant"
    OR Operation contains "partner"
    OR Operation = "Add app role assignment to service principal"
    OR Operation = "Add service principal",
    "DelegatedAdminGrant",
    if(Operation = "Add member to role",
    "PrivilegedRoleGrant",
    if(EventCode = "4624",
    "ExternalServiceAccountLogon",
    if(UserType = "4",
    "ExternalUserAccess",
    "Other"))))
| where detection_type != "Other"
| eval actor = if(!isNull(ActorUPN) AND ActorUPN != "", ActorUPN,
    if(!isNull(TargetUserName) AND TargetUserName != "", TargetUserName, "unknown"))
| eval src_ip = if(!isNull(SourceIP) AND SourceIP != "", SourceIP,
    if(!isNull(SourceNetworkAddress) AND SourceNetworkAddress != "", SourceNetworkAddress, "unknown"))
| where detection_type != "ExternalServiceAccountLogon"
  OR (
    !matches(src_ip, "10\..*")
    AND !matches(src_ip, "192\.168\..*")
    AND !matches(src_ip, "172\.(1[6-9]|2[0-9]|3[01])\..*")
    AND src_ip != "127.0.0.1"
    AND src_ip != "::1"
    AND src_ip != "unknown"
  )
| eval suspicion_score =
    (if(detection_type = "DelegatedAdminGrant", 3, 0))
    + (if(detection_type = "PrivilegedRoleGrant", 3, 0))
    + (if(detection_type = "ExternalUserAccess", 1, 0))
    + (if(detection_type = "ExternalServiceAccountLogon", 2, 0))
    + (if(matches(actor, "(?i).*admin.*|.*global.*|.*privileged.*"), 1, 0))
    + (if(ResultStatus = "Failed" OR ResultStatus = "Failure", 1, 0))
| where suspicion_score > 0
| table _messageTime, detection_type, Operation, actor, src_ip, ResultStatus, suspicion_score
| sort by suspicion_score desc, _messageTime desc

high severity medium confidence

Data Sources

Office 365 Management Activity (_sourceCategory=*o365*) Azure AD Audit Logs (_sourceCategory=*azure/audit*) Windows Security Event Log (_sourceCategory=*windows/security*)

Required Tables

_sourceCategory=*o365* _sourceCategory=*azure/audit* _sourceCategory=*windows/security*

False Positives

Legitimate IT vendor onboarding where MSPs are granted delegated admin access via formal change management — these will score high (3) but represent authorized activity
Cloud-hosted automation agents (Azure DevOps pipelines, Terraform Cloud runners, Datadog agents) using service-named accounts that authenticate from non-RFC1918 public IPs
External auditors or penetration testers operating under a signed SOW whose temporary guest accounts are classified as UserType=4 and generate O365 access events during the engagement window

Google Chronicle / SecOps

yaral

rule T1199_trusted_relationship_abuse {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects trusted relationship abuse via Azure AD delegated admin grants, cross-tenant access policy changes, and privileged role grants to external or guest accounts"
    mitre_attack_tactic = "Initial Access"
    mitre_attack_technique = "T1199"
    mitre_attack_url = "https://attack.mitre.org/techniques/T1199/"
    severity = "HIGH"
    confidence = "MEDIUM"
    version = "1.0"

  events:
    $e.metadata.product_name = /(?i)(Azure Active Directory|Office 365|Microsoft 365)/

    (
      (
        // Arm 1: Delegated admin grants and partner/cross-tenant configuration changes
        $e.metadata.event_type = "USER_RESOURCE_CREATION" and
        (
          $e.target.resource.name = /(?i)(delegated.permission|cross.?tenant|partner.access|service.principal)/ or
          $e.metadata.description = /(?i)(delegated permission|cross.tenant|partner|role.assignment)/
        )
      ) or
      (
        // Arm 2: Privileged group membership granted to external or guest accounts
        $e.metadata.event_type = "GROUP_MODIFICATION" and
        $e.target.group.group_display_name = /(?i)(Global Admin|Privileged Role|Exchange Admin|SharePoint Admin|Security Admin|Helpdesk Admin|User Admin)/ and
        (
          $e.target.user.email_addresses[0] = /#EXT#/ or
          $e.target.user.userid = /#EXT#/ or
          $e.target.user.user_display_name = /(?i)(msp|vendor|partner|managed.service|contractor)/
        )
      ) or
      (
        // Arm 3: Cross-tenant or B2B user sign-in to sensitive Microsoft 365 workloads
        $e.metadata.event_type = "USER_LOGIN" and
        $e.target.resource.name = /(?i)(Exchange Online|SharePoint Online|Microsoft Teams|Security Center|Compliance Center|Microsoft Graph|Azure Active Directory)/ and
        (
          $e.extensions.auth.auth_details = /(?i)(cross.?tenant|B2B|guest|external|inbound)/ or
          $e.principal.user.email_addresses[0] = /#EXT#/
        ) and
        $e.security_result.action = "ALLOW"
      )
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Azure Active Directory (Chronicle UDM: product_name=Azure Active Directory) Office 365 (Chronicle UDM: product_name=Office 365) Microsoft 365 (Chronicle UDM: product_name=Microsoft 365)

Required Tables

azure_ad (Chronicle ingestion label) o365 (Chronicle ingestion label)

False Positives

Authorized Microsoft Partner Center resellers creating or updating delegated admin relationships as part of contractual Tier 1/Tier 2 support delivery — fires on both initial grant and any periodic renewal
B2B collaboration guests from established partner organizations accessing shared SharePoint document libraries or Teams project workspaces as part of ongoing joint ventures or co-development programs
Identity governance workflows that periodically re-assign privileged roles to external security or audit accounts during compliance review cycles, generating GROUP_MODIFICATION events in bursts

CrowdStrike LogScale (CQL)

cql

// T1199 Trusted Relationship Abuse — CrowdStrike Falcon LogScale
// Covers external service account network logons, privileged group grants to external accounts,
// and provisioning of guest/vendor user accounts visible on Falcon-protected endpoints
union(
  {
    // Arm 1: External service/MSP account network logon (LogonType 3) from non-RFC1918 IP
    #event_simpleName = UserLogon
    | LogonType = 3
    | UserName = /(?i)(svc_|_svc|admin|msp|vendor|mgmt|partner|managed)/
    | RemoteAddressIP4 != /^(10\.|172\.(1[6-9]|2[0-9]|3[01])\.|192\.168\.|127\.|::1|0\.0\.0\.0)/
    | RemoteAddressIP4 != ""
    | eval DetectionCategory = "ExternalServiceAccountNetworkLogon"
    | table([_time, ComputerName, UserName, UserDomain, RemoteAddressIP4, LogonType, DetectionCategory])
  },
  {
    // Arm 2: Privileged group membership granted to external, guest, or vendor account
    #event_simpleName = UserAccountAddedToGroup
    | GroupName = /(?i)(Global Admin|Privileged Role|Exchange Admin|SharePoint Admin|Security Admin|Helpdesk Admin|User Admin)/
    | (
        UserPrincipalName = /#EXT#/
        OR UserName = /(?i)(msp|vendor|partner|svc_|_svc|contractor|extern)/
      )
    | eval DetectionCategory = "ExternalAccountPrivilegedGroupGrant"
    | table([_time, ComputerName, UserName, UserPrincipalName, GroupName, DetectionCategory])
  },
  {
    // Arm 3: New guest, vendor, or service account created matching external provider naming
    #event_simpleName = UserAccountCreated
    | (
        UserPrincipalName = /#EXT#/
        OR UserName = /(?i)(msp|vendor|partner|managed\.service|svc_|_svc|contractor)/
      )
    | eval DetectionCategory = "ExternalOrServiceAccountProvisioned"
    | table([_time, ComputerName, UserName, UserPrincipalName, DetectionCategory])
  }
)
| sort(field=_time, order=desc)

high severity medium confidence

Data Sources

CrowdStrike Falcon EDR (event_simpleName: UserLogon, UserAccountAddedToGroup, UserAccountCreated) Falcon Identity Protection (for UserPrincipalName and #EXT# enrichment)

Required Tables

#event_simpleName=UserLogon #event_simpleName=UserAccountAddedToGroup #event_simpleName=UserAccountCreated

False Positives

IT administrators using service account naming conventions (e.g., svc_backup, svc_monitoring) that legitimately perform network logons from cloud-hosted management platforms (Azure Automation, AWS Systems Manager) with public IP addresses outside RFC1918
MSP technicians performing authorized remote support sessions via jump hosts that generate UserLogon LogonType=3 events with the MSP's corporate egress IP, which is external to the protected environment
Automated IAM provisioning workflows (e.g., Okta Lifecycle Management, Azure AD Connect) that create service or vendor accounts in bulk during approved onboarding windows, matching the vendor naming pattern regex

Last updated: 2026-04-19 Research depth: deep

References (9)

Response Playbook

1. Examine the full command line and decode any Base64 content...
2. Identify the parent process chain and user context...
3. Check for concurrent network connections from the process...

Investigation Guide

Related techniques: T1027, T1105, T1562.001...
Forensic artifacts: PSReadLine history, Prefetch, ScriptBlock logs...

Atomic Red Team Tests

Test 1: Encoded command execution...
Test 2: Download cradle via Net.WebClient...

Unlock Pro Content

Get the full detection package for T1199 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Trusted Relationship

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Initial Access

Popular Detections