T1538 Cloud Service Dashboard Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// Detection 1: Suspicious Azure Portal sign-in patterns
let HighRiskCountryCodes = dynamic(["CN", "RU", "KP", "IR", "BY", "CU", "SY"]);
let CloudDashboardApps = dynamic(["Azure Portal", "Microsoft Azure Portal", "Azure Active Directory Portal", "Microsoft 365 admin center", "Azure DevOps"]);
SigninLogs
| where TimeGenerated > ago(24h)
| where AppDisplayName in (CloudDashboardApps)
| extend CountryCode = tostring(LocationDetails.countryOrRegion)
| extend City = tostring(LocationDetails.city)
| extend Latitude = toreal(LocationDetails.geoCoordinates.latitude)
| extend Longitude = toreal(LocationDetails.geoCoordinates.longitude)
| extend IsHighRiskCountry = CountryCode in (HighRiskCountryCodes)
| extend IsRiskySignIn = RiskLevelDuringSignIn in ("high", "medium")
| extend IsFailed = ResultType != 0
| extend IsNoMFA = AuthenticationRequirement == "singleFactorAuthentication"
| extend SuspicionScore = toint(IsHighRiskCountry) + toint(IsRiskySignIn) + toint(IsNoMFA)
| where SuspicionScore > 0 or IsFailed
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress,
         CountryCode, City, RiskLevelDuringSignIn, RiskLevelAggregated,
         ResultType, ResultDescription, ConditionalAccessStatus,
         AuthenticationRequirement, IsHighRiskCountry, IsRiskySignIn, IsNoMFA,
         SuspicionScore, UserAgent
| sort by TimeGenerated desc
// ---
// Detection 2: AWS Management Console login events via AWS CloudTrail connector
// (Requires AWS CloudTrail ingestion into Microsoft Sentinel via AWS S3 connector)
// AWSCloudTrail
// | where TimeGenerated > ago(24h)
// | where EventName == "ConsoleLogin"
// | extend AdditionalData = parse_json(AdditionalEventData)
// | extend MFAUsed = tostring(AdditionalData.MFAUsed)
// | extend ConsoleLoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)
// | extend UserType = tostring(parse_json(UserIdentity).type)
// | extend IsRoot = UserType == "Root"
// | extend IsNoMFA = MFAUsed == "No"
// | extend IsFailedLogin = ConsoleLoginResult == "Failure"
// | where IsRoot or IsNoMFA or IsFailedLogin
// | project TimeGenerated, UserIdentityArn, SourceIpAddress, UserAgent,
//          MFAUsed, UserType, AWSRegion, ConsoleLoginResult, IsRoot, IsNoMFA
// | sort by TimeGenerated desc

medium severity medium confidence

Data Sources

Logon Session: Logon Session Creation Cloud Service: Cloud Service Metadata Azure AD Sign-In Logs AWS CloudTrail ConsoleLogin Events

Required Tables

SigninLogs AWSCloudTrail

False Positives

Legitimate system administrators accessing cloud dashboards from travel locations or home offices with VPN egress IPs in unexpected geographic regions
Security operations teams conducting cloud configuration audits or compliance reviews using personal accounts that trigger risk signals
Automated monitoring tools that use service accounts to access Azure Portal for health-check dashboards, generating sign-in log entries
Cloud contractors or third-party vendors accessing client environments from their own corporate IP ranges, which may appear anomalous to the tenant
Azure AD Identity Protection false positives on risk scoring for users with atypical but legitimate travel or remote work patterns

Splunk

spl

| tstats count min(_time) as firstSeen max(_time) as lastSeen from datamodel=Authentication where Authentication.action=* by Authentication.src, Authentication.user, Authentication.app, Authentication.action
| search Authentication.app IN ("*portal*", "*console*", "*dashboard*", "*admin*")
| rename Authentication.* as *
| eval is_failed=if(action=="failure", 1, 0)
| stats count as TotalEvents, sum(is_failed) as FailedAttempts, values(app) as Apps, values(src) as SourceIPs, earliest(firstSeen) as Earliest, latest(lastSeen) as Latest by user
| where FailedAttempts > 3 OR TotalEvents > 20
| sort - FailedAttempts
| append
    [search index=aws sourcetype=aws:cloudtrail eventName=ConsoleLogin
    | eval mfa_used=coalesce('additionalEventData.MFAUsed', "Unknown")
    | eval console_result=coalesce('responseElements.ConsoleLogin', "Unknown")
    | eval user_type=coalesce('userIdentity.type', "Unknown")
    | eval username=coalesce('userIdentity.userName', 'userIdentity.arn', "unknown")
    | eval is_root=if(user_type=="Root", 1, 0)
    | eval no_mfa=if(mfa_used=="No", 1, 0)
    | eval is_failed_login=if(console_result=="Failure", 1, 0)
    | eval SuspicionScore=is_root + no_mfa + is_failed_login
    | where SuspicionScore > 0
    | table _time, username, sourceIPAddress, userAgent, mfa_used, user_type, console_result, awsRegion, SuspicionScore
    | sort - _time]

medium severity medium confidence

Data Sources

Logon Session: Logon Session Creation Cloud Service: Cloud Service Metadata AWS CloudTrail Authentication Data Model

Required Sourcetypes

aws:cloudtrail

False Positives

Legitimate administrators performing cloud infrastructure reviews will generate high portal access counts, especially during audit periods or incident response activities
Break-glass root account usage for emergency administrative tasks may trigger root console login alerts despite being authorized and documented
Security tooling that aggregates cloud console sessions for compliance reporting may create authentication log entries matching console app patterns
Cloud training environments and sandbox accounts where developers test console functionality frequently log unusual access patterns

Elastic Security (EQL)

eql

any where
  (
    event.dataset == "azure.signinlogs" and
    azure.signinlogs.properties.app_display_name in~ (
      "Azure Portal", "Microsoft Azure Portal",
      "Azure Active Directory Portal",
      "Microsoft 365 admin center", "Azure DevOps"
    ) and
    (
      source.geo.country_iso_code in ("CN", "RU", "KP", "IR", "BY", "CU", "SY") or
      azure.signinlogs.properties.risk_level_during_sign_in in ("high", "medium") or
      azure.signinlogs.properties.authentication_requirement == "singleFactorAuthentication" or
      event.outcome == "failure"
    )
  ) or
  (
    event.dataset == "aws.cloudtrail" and
    event.action == "ConsoleLogin" and
    (
      aws.cloudtrail.user_identity.type == "Root" or
      aws.cloudtrail.additional_event_data.mfa_used == "No" or
      aws.cloudtrail.error_code != null
    )
  )

medium severity medium confidence

Data Sources

Azure Active Directory Sign-In Logs via Elastic Azure integration AWS CloudTrail via Elastic AWS integration

Required Tables

logs-azure.signinlogs-* logs-aws.cloudtrail-*

False Positives

Legitimate administrators or developers accessing Azure Portal or AWS Console from flagged countries while traveling on authorized business trips
SOC analysts or DevOps engineers performing routine cloud infrastructure reviews using legacy service accounts that have not yet been enrolled in MFA
Automated CI/CD pipelines or cloud monitoring tools authenticating to dashboards using service principals without MFA configured, generating high event volumes that exceed behavioral thresholds

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
  username,
  sourceip,
  QIDNAME(qid) AS event_name,
  CATEGORYNAME(category) AS event_category,
  LOGSOURCETYPENAME(devicetype) AS log_source_type,
  "Application" AS app_name,
  "Authentication Method" AS auth_method,
  "Risk Level" AS risk_level,
  "Country" AS source_country,
  "User Type" AS user_type,
  "MFA Used" AS mfa_used
FROM events
WHERE (
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Azure Active Directory', 'Microsoft Azure AD')
    AND (
      "Application" ILIKE '%azure portal%'
      OR "Application" ILIKE '%microsoft 365 admin%'
      OR "Application" ILIKE '%azure devops%'
      OR "Application" ILIKE '%azure active directory portal%'
    )
    AND (
      "Country" IN ('China', 'Russia', 'North Korea', 'Iran', 'Belarus', 'Cuba', 'Syria')
      OR "Risk Level" IN ('high', 'medium')
      OR "Authentication Method" = 'singleFactorAuthentication'
      OR category = 5
    )
  )
  OR (
    LOGSOURCETYPENAME(devicetype) = 'Amazon AWS CloudTrail'
    AND QIDNAME(qid) ILIKE '%ConsoleLogin%'
    AND (
      "User Type" = 'Root'
      OR "MFA Used" = 'No'
      OR QIDNAME(qid) ILIKE '%Failure%'
    )
  )
ORDER BY starttime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

Microsoft Azure Active Directory (QRadar DSM) Amazon AWS CloudTrail (QRadar DSM)

Required Tables

events

False Positives

Legitimate remote workers in flagged countries (e.g., employees in China or Russia offices) accessing cloud consoles for authorized daily work tasks
Break-glass or emergency accounts with single-factor authentication intentionally exempted from MFA policy for incident response scenarios, generating singleFactorAuthentication entries
Shared service accounts used by multiple teams that accumulate high cloud console event volumes, triggering threshold-based alerts without malicious intent

Sumo Logic CSE

sql

(_sourceCategory=*azure*signin* OR _sourceCategory=*aws*cloudtrail*)
| json field=_raw "properties.appDisplayName" as app_name nodrop
| json field=_raw "properties.userPrincipalName" as azure_user nodrop
| json field=_raw "properties.ipAddress" as src_ip nodrop
| json field=_raw "properties.location.countryOrRegion" as country nodrop
| json field=_raw "properties.riskLevelDuringSignIn" as risk_level nodrop
| json field=_raw "properties.authenticationRequirement" as auth_req nodrop
| json field=_raw "properties.status.errorCode" as error_code nodrop
| json field=_raw "eventName" as event_name nodrop
| json field=_raw "additionalEventData.MFAUsed" as mfa_used nodrop
| json field=_raw "userIdentity.type" as user_type nodrop
| json field=_raw "responseElements.ConsoleLogin" as console_result nodrop
| json field=_raw "userIdentity.userName" as aws_user nodrop
| where (app_name in ("Azure Portal", "Microsoft Azure Portal", "Azure Active Directory Portal", "Microsoft 365 admin center", "Azure DevOps")
        or event_name = "ConsoleLogin")
| eval is_high_risk_country = if(country in ("CN", "RU", "KP", "IR", "BY", "CU", "SY"), 1, 0)
| eval is_no_mfa = if(auth_req = "singleFactorAuthentication" or mfa_used = "No", 1, 0)
| eval is_root = if(user_type = "Root", 1, 0)
| eval is_failed = if((error_code != "0" and !isNull(error_code)) or console_result = "Failure", 1, 0)
| eval suspicion_score = is_high_risk_country + is_no_mfa + is_root + is_failed
| where suspicion_score > 0
| eval unified_user = if(!isNull(azure_user), azure_user, if(!isNull(aws_user), aws_user, "unknown"))
| table _time, unified_user, src_ip, app_name, event_name, country, risk_level, mfa_used, user_type, console_result, suspicion_score
| sort by suspicion_score desc

high severity medium confidence

Data Sources

Azure Active Directory Sign-In Logs (Sumo Logic Azure source) AWS CloudTrail (Sumo Logic AWS S3 source)

Required Tables

Logs under _sourceCategory matching *azure*signin* and *aws*cloudtrail*

False Positives

Penetration testers or red team operators performing authorized cloud security assessments generating multiple failed authentication attempts against cloud dashboards
Users routing traffic through commercial VPNs with exit nodes in high-risk countries appearing to authenticate from flagged geolocations despite physical presence elsewhere
Cloud administrators using root credentials for emergency access during production incidents, simultaneously triggering the root account and no-MFA risk indicators

Google Chronicle / SecOps

yaral

rule t1538_cloud_service_dashboard_suspicious_access {
  meta:
    author = "df00tech"
    description = "Detects suspicious cloud service dashboard access (T1538) via anomalous sign-ins to Azure Portal, AWS Management Console, or GCP Cloud Console with compound risk indicators"
    mitre_attack_tactic = "Discovery"
    mitre_attack_technique = "T1538"
    severity = "MEDIUM"
    priority = "MEDIUM"
    created = "2026-04-20"
    reference = "https://attack.mitre.org/techniques/T1538/"

  events:
    $login.metadata.event_type = "USER_LOGIN"
    (
      $login.target.application in nocase (
        "Azure Portal",
        "Microsoft Azure Portal",
        "AWS Management Console",
        "Google Cloud Console",
        "Azure Active Directory Portal",
        "Microsoft 365 admin center"
      )
      or $login.metadata.product_name in nocase (
        "Azure Active Directory",
        "Amazon CloudTrail",
        "Google Cloud Identity"
      )
    )
    (
      $login.principal.location.country_or_region in (
        "China", "Russia", "North Korea", "Iran", "Belarus", "Cuba", "Syria"
      )
      or $login.security_result.severity in ("HIGH", "CRITICAL")
      or $login.extensions.auth.auth_details = "SINGLE_FACTOR"
      or $login.security_result.action = "BLOCK"
      or $login.target.user.attribute.roles.name = "Root"
    )
    $user = $login.principal.user.userid

  condition:
    $login
}

medium severity medium confidence

Data Sources

Google Chronicle UDM (Azure AD via Chronicle forwarder or Bindplane) Google Chronicle UDM (AWS CloudTrail via Chronicle S3 ingestion) Google Chronicle UDM (GCP Cloud Identity and Access Management)

Required Tables

UDM USER_LOGIN event stream

False Positives

Global enterprise users authenticating to cloud dashboards from high-risk geolocation codes due to regional business offices or partner network egress points in flagged countries
Security teams conducting tabletop exercises or red team operations that generate blocked or single-factor cloud console login events during authorized testing windows
Federated identity providers routing authentication through regions that appear as high-risk countries in geolocation databases due to IP space allocation mismatches

CrowdStrike LogScale (CQL)

cql

// Detect cloud service dashboard access via Falcon endpoint DNS telemetry
// Identifies hosts making repeated DNS lookups to major cloud provider console hostnames
#event_simpleName = "DnsRequest"
| filter(DomainName = /(?i)(console\.aws\.amazon\.com|signin\.aws\.amazon\.com|portal\.azure\.com|aad\.portal\.azure\.com|console\.cloud\.google\.com|admin\.microsoft\.com|devops\.azure\.com)/)
| groupBy([aid, UserName, ComputerName], function=[
    count(as=DnsRequestCount),
    collect(DomainName, as=CloudDomainsAccessed),
    min(@timestamp, as=FirstAccessMs),
    max(@timestamp, as=LastAccessMs)
  ])
| eval SessionDurationMinutes = (LastAccessMs - FirstAccessMs) / 60000
| where DnsRequestCount > 5
| sort(DnsRequestCount, order=desc)
| select([ComputerName, UserName, CloudDomainsAccessed, DnsRequestCount, SessionDurationMinutes, FirstAccessMs, LastAccessMs])

medium severity low confidence

Data Sources

CrowdStrike Falcon Endpoint (DnsRequest telemetry) CrowdStrike Falcon Identity Protection (for correlated auth context)

Required Tables

DnsRequest events (#event_simpleName = DnsRequest)

False Positives

DevOps engineers and cloud architects making frequent DNS lookups to cloud provider consoles during routine infrastructure management, deployments, and monitoring activities
Automated scripts, Terraform runs, or infrastructure-as-code pipelines generating sustained DNS resolution bursts to cloud console domains as part of legitimate provisioning workflows
Security monitoring tools or SIEM health-check agents polling cloud provider console URLs for availability checks, generating high-volume DNS request patterns that exceed thresholds

Cloud Service Dashboard

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Discovery

Popular Detections