Detect Cloud Service Dashboard in IBM QRadar
An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. Cloud service dashboards (AWS Management Console, Azure Portal, GCP Cloud Console) provide rich graphical interfaces that may expose more configuration details than programmatic API calls, allowing adversaries to enumerate running instances, storage buckets, IAM roles, network configurations, and security findings. Because dashboard access uses standard web browser sessions, it may blend into legitimate user activity and bypass controls focused on API-level telemetry. Scattered Spider, for example, abused AWS Systems Manager Inventory after gaining console access to identify lateral movement targets.
MITRE ATT&CK
- Tactic
- Discovery
- Technique
- T1538 Cloud Service Dashboard
- Canonical reference
- https://attack.mitre.org/techniques/T1538/
QRadar Detection Query
SELECT
DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS event_time,
username,
sourceip,
QIDNAME(qid) AS event_name,
CATEGORYNAME(category) AS event_category,
LOGSOURCETYPENAME(devicetype) AS log_source_type,
"Application" AS app_name,
"Authentication Method" AS auth_method,
"Risk Level" AS risk_level,
"Country" AS source_country,
"User Type" AS user_type,
"MFA Used" AS mfa_used
FROM events
WHERE (
LOGSOURCETYPENAME(devicetype) IN ('Microsoft Azure Active Directory', 'Microsoft Azure AD')
AND (
"Application" ILIKE '%azure portal%'
OR "Application" ILIKE '%microsoft 365 admin%'
OR "Application" ILIKE '%azure devops%'
OR "Application" ILIKE '%azure active directory portal%'
)
AND (
"Country" IN ('China', 'Russia', 'North Korea', 'Iran', 'Belarus', 'Cuba', 'Syria')
OR "Risk Level" IN ('high', 'medium')
OR "Authentication Method" = 'singleFactorAuthentication'
OR category = 5
)
)
OR (
LOGSOURCETYPENAME(devicetype) = 'Amazon AWS CloudTrail'
AND QIDNAME(qid) ILIKE '%ConsoleLogin%'
AND (
"User Type" = 'Root'
OR "MFA Used" = 'No'
OR QIDNAME(qid) ILIKE '%Failure%'
)
)
ORDER BY starttime DESC
LAST 24 HOURSAQL query detecting suspicious cloud service dashboard access via Azure Active Directory and AWS CloudTrail log sources ingested through QRadar DSMs. Flags high-risk country origins, missing MFA, elevated risk levels, authentication failures, and root account AWS Console logins. Custom properties (Application, Risk Level, MFA Used, User Type) require corresponding QRadar DSM mappings.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate remote workers in flagged countries (e.g., employees in China or Russia offices) accessing cloud consoles for authorized daily work tasks
- Break-glass or emergency accounts with single-factor authentication intentionally exempted from MFA policy for incident response scenarios, generating singleFactorAuthentication entries
- Shared service accounts used by multiple teams that accumulate high cloud console event volumes, triggering threshold-based alerts without malicious intent
Other platforms for T1538
Testing Methodology
Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1AWS Console Sign-In URL Generation via STS (Federated Access Simulation)
Expected signal: AWS CloudTrail: GetFederationToken event from userIdentity of the caller IAM user, with requestParameters showing the policy document. The ConsoleLogin event in CloudTrail (eventSource: signin.amazonaws.com) fires when the generated URL is clicked in a browser, with additionalEventData.MFAUsed=No and userIdentity.type=FederatedUser.
- Test 2AWS Systems Manager Inventory Enumeration Post-Console-Access (Scattered Spider TTP)
Expected signal: AWS CloudTrail: DescribeInstanceInformation (eventName), ListInventoryEntries, and ListDocuments events under eventSource=ssm.amazonaws.com. All events carry the caller's IAM identity, source IP, userAgent (aws-cli or browser), and requestParameters. If called from a browser console session, the userIdentity.sessionContext will reference the console session.
- Test 3Azure Portal Resource Enumeration via Azure CLI (Stolen Token Simulation)
Expected signal: AzureActivity table in Sentinel: Microsoft.Resources/subscriptions/read, Microsoft.Resources/resourceGroups/read, Microsoft.Compute/virtualMachines/read, Microsoft.Storage/storageAccounts/read events with Caller matching the authenticated user principal. AADSignInLogs: service principal or user sign-in event for Azure CLI app (appId: 04b07795-8ddb-461a-bbee-02f9e1bf7b46). All events carry the source IP of the machine running the CLI.
- Test 4GCP Cloud Console Asset Enumeration via gcloud CLI
Expected signal: GCP Cloud Audit Logs: cloudresourcemanager.googleapis.com/projects.list, compute.instances.list, storage.buckets.list, iam.projects.getIamPolicy, and securitycenter.findings.list data access events. All entries include principalEmail (the caller), callerIp, userAgent (cloud-sdk/gcloud), and methodName. These logs appear in Cloud Audit Logs — Data Access log type and can be exported to Splunk via Pub/Sub or to Sentinel via the GCP connector.
References (8)
- https://attack.mitre.org/techniques/T1538/
- https://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-event-reference-aws-console-sign-in-events.html
- https://cloud.google.com/security-command-center/docs/quickstart-scc-dashboard
- https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-320a
- https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema
- https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/azureactivity
- https://docs.aws.amazon.com/systems-manager/latest/userguide/sysman-inventory-about.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1538/T1538.md
Unlock Pro Content
Get the full detection package for T1538 including response playbook, investigation guide, and atomic red team tests.