T1199 Splunk · SPL

Detect Trusted Relationship in Splunk

Adversaries may breach or otherwise leverage organizations who have access to intended victims. Access through trusted third-party relationships abuses an existing connection that may not be protected or receives less scrutiny than standard mechanisms of gaining access to a network. Organizations often grant elevated access to second or third-party external providers in order to allow them to manage internal systems as well as cloud-based environments. These relationships include IT services contractors, managed security providers, and infrastructure contractors. In Office 365 and Azure AD environments, organizations may grant Microsoft partners or resellers delegated administrator permissions. By compromising a partner or reseller account, an adversary may be able to leverage existing delegated administrator relationships or send new delegated administrator offers to clients in order to gain administrative control over the victim tenant.

MITRE ATT&CK

Tactic
Initial Access
Technique
T1199 Trusted Relationship
Canonical reference
https://attack.mitre.org/techniques/T1199/

SPL Detection Query

Splunk (SPL)
spl 
// Detect trusted relationship abuse via Office 365 delegated admin grants and external service account logons
(
  sourcetype="o365:management:activity"
  (Operation="Add-RoleGroupMember" OR Operation="New-ManagementRoleAssignment" OR
   Operation="Add member to role." OR Operation="Consent to application." OR
   Operation="Add delegated permission grant." OR Operation="Add app role assignment to service principal.")
| eval EventCategory="DelegatedPermissionGrant"
| eval ActorUPN=coalesce(UserId, Actor{}.ID)
| eval TargetResource=coalesce(ObjectId, ModifiedProperties{}.NewValue)
| eval SourceIP=ClientIP
| table _time, EventCategory, Operation, ActorUPN, SourceIP, TargetResource, ResultStatus, OrganizationId
)
| append
[
  search sourcetype="o365:management:activity"
    (Operation="UserLoggedIn" OR Operation="UserLoginFailed")
    UserType=4
| eval EventCategory="ExternalUserAccess"
| eval ActorUPN=UserId
| eval SourceIP=ClientIP
| eval TargetResource=Workload
| eval IsAdmin=if(match(ActorUPN, "(?i)(admin|svc|msp|partner|vendor|managed)"), 1, 0)
| where IsAdmin=1 OR UserType=4
| table _time, EventCategory, Operation, ActorUPN, SourceIP, TargetResource, ResultStatus, UserType
]
| append
[
  search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624
    LogonType=3 NOT (SourceNetworkAddress="10.*" OR SourceNetworkAddress="172.16.*" OR
    SourceNetworkAddress="172.17.*" OR SourceNetworkAddress="172.18.*" OR
    SourceNetworkAddress="172.19.*" OR SourceNetworkAddress="172.20.*" OR
    SourceNetworkAddress="172.21.*" OR SourceNetworkAddress="172.22.*" OR
    SourceNetworkAddress="172.23.*" OR SourceNetworkAddress="172.24.*" OR
    SourceNetworkAddress="172.25.*" OR SourceNetworkAddress="172.26.*" OR
    SourceNetworkAddress="172.27.*" OR SourceNetworkAddress="172.28.*" OR
    SourceNetworkAddress="172.29.*" OR SourceNetworkAddress="172.30.*" OR
    SourceNetworkAddress="172.31.*" OR SourceNetworkAddress="192.168.*" OR
    SourceNetworkAddress="127.*" OR SourceNetworkAddress="::1" OR SourceNetworkAddress="-")
| eval IsSvcAccount=if(match(TargetUserName, "(?i)(svc_|_svc|admin|mgmt|msp|vendor)"), 1, 0)
| where IsSvcAccount=1
| eval EventCategory="ExternalServiceAccountNetworkLogon"
| eval ActorUPN=TargetUserName
| eval SourceIP=SourceNetworkAddress
| eval TargetResource=ComputerName
| table _time, EventCategory, ActorUPN, SourceIP, TargetResource, TargetDomainName, LogonType
]
| eval SuspicionIndicators=0
| eval SuspicionIndicators=SuspicionIndicators + if(EventCategory="DelegatedPermissionGrant", 2, 0)
| eval SuspicionIndicators=SuspicionIndicators + if(EventCategory="ExternalUserAccess", 1, 0)
| eval SuspicionIndicators=SuspicionIndicators + if(EventCategory="ExternalServiceAccountNetworkLogon", 1, 0)
| eval SuspicionIndicators=SuspicionIndicators + if(match(ActorUPN, "(?i)(admin|global.admin|privileged)"), 1, 0)
| eval SuspicionIndicators=SuspicionIndicators + if(ResultStatus="Failed" OR ResultStatus="Failure", 1, 0)
| where SuspicionIndicators > 0
| sort - SuspicionIndicators, - _time
| table _time, EventCategory, Operation, ActorUPN, SourceIP, TargetResource, SuspicionIndicators
high severity medium confidence

Detects trusted relationship abuse using three data sources: (1) Office 365 Management Activity logs for delegated permission grants, role assignments, and application consent operations that indicate new MSP/partner relationship establishment; (2) O365 external user logon events (UserType=4) for accounts with service/admin/MSP naming patterns accessing cloud workloads; (3) Windows Security EventCode 4624 LogonType=3 (network logon) for service accounts with MSP/vendor naming patterns authenticating from external IP addresses. A suspicion scoring system weights events by category and additional risk indicators. Requires the o365:management:activity add-on and Windows Security log forwarding to Splunk.

Data Sources

Office 365 Management Activity APIWindows Security Event LogAzure Active Directory

Required Sourcetypes

o365:management:activityWinEventLog:Security

False Positives & Tuning

  • Legitimate MSP onboarding creating new delegated admin grants — coordinate with IT management to build an allowlist of expected partner tenant IDs
  • Authorized service accounts from managed service providers performing scheduled maintenance over the network from their management IP ranges
  • Microsoft partner accounts with existing authorized GDAP or DAP relationships accessing tenant resources as part of contracted support
  • MSSP/MDR provider accounts logging into Office 365 security portals as part of a 24/7 monitoring engagement
  • Vendor or contractor accounts with B2B guest access accessing SharePoint or Teams for authorized project collaboration
Download portable Sigma rule (.yml)

Other platforms for T1199

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate Delegated Admin Permission Grant via Azure AD PowerShell

    Expected signal: Azure AD AuditLogs: OperationName 'Add delegated permission grant', Result 'success', InitiatedBy.user.userPrincipalName = executing account, TargetResources[0].displayName = 'Microsoft Graph'. Visible in Microsoft 365 compliance portal under Audit search with Activity = 'Add delegated permission grant'.

  2. Test 2Assign Privileged Role to External Guest Account Simulating MSP Onboarding

    Expected signal: Azure AD AuditLogs: OperationName 'Add member to role', Result 'success', TargetResources[1].displayName = 'Global Reader', TargetResources[0].userPrincipalName contains '#EXT#'. Also generates 'Invite external user' event. Both visible in AuditLogs table within 5-10 minutes.

  3. Test 3Simulate MSP Network Logon from External IP Using Service Account

    Expected signal: Windows Security Event ID 4624: LogonType=3 (Network), TargetUserName='svc_msp_test', SourceNetworkAddress=127.0.0.1. Security Event ID 4672 if the account has elevated privileges. Visible in Windows Event Viewer under Security log within seconds of execution.

  4. Test 4Create New Service Principal and Grant API Permissions Simulating Post-Access Backdoor

    Expected signal: Azure AD AuditLogs: OperationName 'Add application', Result 'success', TargetResources[0].displayName = 'df00tech-detection-test-app'. Followed by OperationName 'Update application' with ModifiedProperties showing RequiredResourceAccess including Mail.Read scope. Both events include InitiatedBy.user.userPrincipalName of the executing account.

Last updated: 2026-04-19 Research depth: deep
References (9)

Unlock Pro Content

Get the full detection package for T1199 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1078Valid AccountsT1078.004Cloud AccountsT1133External Remote ServicesT1550.001Application Access TokenT1136.003Cloud AccountT1098.001Additional Cloud CredentialsT1098.003Additional Cloud RolesT1087.004Cloud AccountT1114.002Remote Email CollectionT1195Supply Chain Compromise

Same Tactic: Initial Access

Popular Detections