T1538 Elastic Security · Elastic

Detect Cloud Service Dashboard in Elastic Security

An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. Cloud service dashboards (AWS Management Console, Azure Portal, GCP Cloud Console) provide rich graphical interfaces that may expose more configuration details than programmatic API calls, allowing adversaries to enumerate running instances, storage buckets, IAM roles, network configurations, and security findings. Because dashboard access uses standard web browser sessions, it may blend into legitimate user activity and bypass controls focused on API-level telemetry. Scattered Spider, for example, abused AWS Systems Manager Inventory after gaining console access to identify lateral movement targets.

MITRE ATT&CK

Tactic
Discovery
Technique
T1538 Cloud Service Dashboard
Canonical reference
https://attack.mitre.org/techniques/T1538/

Elastic Detection Query

Elastic Security (Elastic)
eql 
any where
  (
    event.dataset == "azure.signinlogs" and
    azure.signinlogs.properties.app_display_name in~ (
      "Azure Portal", "Microsoft Azure Portal",
      "Azure Active Directory Portal",
      "Microsoft 365 admin center", "Azure DevOps"
    ) and
    (
      source.geo.country_iso_code in ("CN", "RU", "KP", "IR", "BY", "CU", "SY") or
      azure.signinlogs.properties.risk_level_during_sign_in in ("high", "medium") or
      azure.signinlogs.properties.authentication_requirement == "singleFactorAuthentication" or
      event.outcome == "failure"
    )
  ) or
  (
    event.dataset == "aws.cloudtrail" and
    event.action == "ConsoleLogin" and
    (
      aws.cloudtrail.user_identity.type == "Root" or
      aws.cloudtrail.additional_event_data.mfa_used == "No" or
      aws.cloudtrail.error_code != null
    )
  )
medium severity medium confidence

Detects suspicious cloud service dashboard access (T1538) by correlating Azure AD sign-in logs and AWS CloudTrail ConsoleLogin events against risk indicators: high-risk geolocation, missing MFA, elevated risk score, authentication failures, and root account AWS Console usage.

Data Sources

Azure Active Directory Sign-In Logs via Elastic Azure integrationAWS CloudTrail via Elastic AWS integration

Required Tables

logs-azure.signinlogs-*logs-aws.cloudtrail-*

False Positives & Tuning

  • Legitimate administrators or developers accessing Azure Portal or AWS Console from flagged countries while traveling on authorized business trips
  • SOC analysts or DevOps engineers performing routine cloud infrastructure reviews using legacy service accounts that have not yet been enrolled in MFA
  • Automated CI/CD pipelines or cloud monitoring tools authenticating to dashboards using service principals without MFA configured, generating high event volumes that exceed behavioral thresholds
Download portable Sigma rule (.yml)

Other platforms for T1538

Microsoft Sentinel (KQL) Splunk (SPL) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS Console Sign-In URL Generation via STS (Federated Access Simulation)

    Expected signal: AWS CloudTrail: GetFederationToken event from userIdentity of the caller IAM user, with requestParameters showing the policy document. The ConsoleLogin event in CloudTrail (eventSource: signin.amazonaws.com) fires when the generated URL is clicked in a browser, with additionalEventData.MFAUsed=No and userIdentity.type=FederatedUser.

  2. Test 2AWS Systems Manager Inventory Enumeration Post-Console-Access (Scattered Spider TTP)

    Expected signal: AWS CloudTrail: DescribeInstanceInformation (eventName), ListInventoryEntries, and ListDocuments events under eventSource=ssm.amazonaws.com. All events carry the caller's IAM identity, source IP, userAgent (aws-cli or browser), and requestParameters. If called from a browser console session, the userIdentity.sessionContext will reference the console session.

  3. Test 3Azure Portal Resource Enumeration via Azure CLI (Stolen Token Simulation)

    Expected signal: AzureActivity table in Sentinel: Microsoft.Resources/subscriptions/read, Microsoft.Resources/resourceGroups/read, Microsoft.Compute/virtualMachines/read, Microsoft.Storage/storageAccounts/read events with Caller matching the authenticated user principal. AADSignInLogs: service principal or user sign-in event for Azure CLI app (appId: 04b07795-8ddb-461a-bbee-02f9e1bf7b46). All events carry the source IP of the machine running the CLI.

  4. Test 4GCP Cloud Console Asset Enumeration via gcloud CLI

    Expected signal: GCP Cloud Audit Logs: cloudresourcemanager.googleapis.com/projects.list, compute.instances.list, storage.buckets.list, iam.projects.getIamPolicy, and securitycenter.findings.list data access events. All entries include principalEmail (the caller), callerIp, userAgent (cloud-sdk/gcloud), and methodName. These logs appear in Cloud Audit Logs — Data Access log type and can be exported to Splunk via Pub/Sub or to Sentinel via the GCP connector.

Last updated: 2026-04-20 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1538 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1078.004Cloud AccountsT1087.004Cloud AccountT1530Data from Cloud StorageT1537Transfer Data to Cloud AccountT1526Cloud Service DiscoveryT1613Container and Resource DiscoveryT1069.003Cloud GroupsT1580Cloud Infrastructure DiscoveryT1110.003Password SprayingT1621Multi-Factor Authentication Request Generation

Same Tactic: Discovery

Popular Detections