T1538 Microsoft Sentinel · KQL

Detect Cloud Service Dashboard in Microsoft Sentinel

An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. Cloud service dashboards (AWS Management Console, Azure Portal, GCP Cloud Console) provide rich graphical interfaces that may expose more configuration details than programmatic API calls, allowing adversaries to enumerate running instances, storage buckets, IAM roles, network configurations, and security findings. Because dashboard access uses standard web browser sessions, it may blend into legitimate user activity and bypass controls focused on API-level telemetry. Scattered Spider, for example, abused AWS Systems Manager Inventory after gaining console access to identify lateral movement targets.

MITRE ATT&CK

Tactic
Discovery
Technique
T1538 Cloud Service Dashboard
Canonical reference
https://attack.mitre.org/techniques/T1538/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
// Detection 1: Suspicious Azure Portal sign-in patterns
let HighRiskCountryCodes = dynamic(["CN", "RU", "KP", "IR", "BY", "CU", "SY"]);
let CloudDashboardApps = dynamic(["Azure Portal", "Microsoft Azure Portal", "Azure Active Directory Portal", "Microsoft 365 admin center", "Azure DevOps"]);
SigninLogs
| where TimeGenerated > ago(24h)
| where AppDisplayName in (CloudDashboardApps)
| extend CountryCode = tostring(LocationDetails.countryOrRegion)
| extend City = tostring(LocationDetails.city)
| extend Latitude = toreal(LocationDetails.geoCoordinates.latitude)
| extend Longitude = toreal(LocationDetails.geoCoordinates.longitude)
| extend IsHighRiskCountry = CountryCode in (HighRiskCountryCodes)
| extend IsRiskySignIn = RiskLevelDuringSignIn in ("high", "medium")
| extend IsFailed = ResultType != 0
| extend IsNoMFA = AuthenticationRequirement == "singleFactorAuthentication"
| extend SuspicionScore = toint(IsHighRiskCountry) + toint(IsRiskySignIn) + toint(IsNoMFA)
| where SuspicionScore > 0 or IsFailed
| project TimeGenerated, UserPrincipalName, AppDisplayName, IPAddress,
         CountryCode, City, RiskLevelDuringSignIn, RiskLevelAggregated,
         ResultType, ResultDescription, ConditionalAccessStatus,
         AuthenticationRequirement, IsHighRiskCountry, IsRiskySignIn, IsNoMFA,
         SuspicionScore, UserAgent
| sort by TimeGenerated desc
// ---
// Detection 2: AWS Management Console login events via AWS CloudTrail connector
// (Requires AWS CloudTrail ingestion into Microsoft Sentinel via AWS S3 connector)
// AWSCloudTrail
// | where TimeGenerated > ago(24h)
// | where EventName == "ConsoleLogin"
// | extend AdditionalData = parse_json(AdditionalEventData)
// | extend MFAUsed = tostring(AdditionalData.MFAUsed)
// | extend ConsoleLoginResult = tostring(parse_json(ResponseElements).ConsoleLogin)
// | extend UserType = tostring(parse_json(UserIdentity).type)
// | extend IsRoot = UserType == "Root"
// | extend IsNoMFA = MFAUsed == "No"
// | extend IsFailedLogin = ConsoleLoginResult == "Failure"
// | where IsRoot or IsNoMFA or IsFailedLogin
// | project TimeGenerated, UserIdentityArn, SourceIpAddress, UserAgent,
//          MFAUsed, UserType, AWSRegion, ConsoleLoginResult, IsRoot, IsNoMFA
// | sort by TimeGenerated desc
medium severity medium confidence

Primary detection targets Azure Portal sign-in events from SigninLogs, identifying suspicious console access patterns including sign-ins from high-risk country codes, identity risk signals from Azure AD Identity Protection, and single-factor authentication to cloud dashboards. A suspicion score aggregates multiple indicators. A secondary commented query targets AWS Management Console ConsoleLogin events via the AWSCloudTrail table (requires AWS CloudTrail connector). Focus on root account console logins, console access without MFA, and failed login attempts that precede successful access.

Data Sources

Logon Session: Logon Session CreationCloud Service: Cloud Service MetadataAzure AD Sign-In LogsAWS CloudTrail ConsoleLogin Events

Required Tables

SigninLogsAWSCloudTrail

False Positives & Tuning

  • Legitimate system administrators accessing cloud dashboards from travel locations or home offices with VPN egress IPs in unexpected geographic regions
  • Security operations teams conducting cloud configuration audits or compliance reviews using personal accounts that trigger risk signals
  • Automated monitoring tools that use service accounts to access Azure Portal for health-check dashboards, generating sign-in log entries
  • Cloud contractors or third-party vendors accessing client environments from their own corporate IP ranges, which may appear anomalous to the tenant
  • Azure AD Identity Protection false positives on risk scoring for users with atypical but legitimate travel or remote work patterns
Download portable Sigma rule (.yml)

Other platforms for T1538

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS Console Sign-In URL Generation via STS (Federated Access Simulation)

    Expected signal: AWS CloudTrail: GetFederationToken event from userIdentity of the caller IAM user, with requestParameters showing the policy document. The ConsoleLogin event in CloudTrail (eventSource: signin.amazonaws.com) fires when the generated URL is clicked in a browser, with additionalEventData.MFAUsed=No and userIdentity.type=FederatedUser.

  2. Test 2AWS Systems Manager Inventory Enumeration Post-Console-Access (Scattered Spider TTP)

    Expected signal: AWS CloudTrail: DescribeInstanceInformation (eventName), ListInventoryEntries, and ListDocuments events under eventSource=ssm.amazonaws.com. All events carry the caller's IAM identity, source IP, userAgent (aws-cli or browser), and requestParameters. If called from a browser console session, the userIdentity.sessionContext will reference the console session.

  3. Test 3Azure Portal Resource Enumeration via Azure CLI (Stolen Token Simulation)

    Expected signal: AzureActivity table in Sentinel: Microsoft.Resources/subscriptions/read, Microsoft.Resources/resourceGroups/read, Microsoft.Compute/virtualMachines/read, Microsoft.Storage/storageAccounts/read events with Caller matching the authenticated user principal. AADSignInLogs: service principal or user sign-in event for Azure CLI app (appId: 04b07795-8ddb-461a-bbee-02f9e1bf7b46). All events carry the source IP of the machine running the CLI.

  4. Test 4GCP Cloud Console Asset Enumeration via gcloud CLI

    Expected signal: GCP Cloud Audit Logs: cloudresourcemanager.googleapis.com/projects.list, compute.instances.list, storage.buckets.list, iam.projects.getIamPolicy, and securitycenter.findings.list data access events. All entries include principalEmail (the caller), callerIp, userAgent (cloud-sdk/gcloud), and methodName. These logs appear in Cloud Audit Logs — Data Access log type and can be exported to Splunk via Pub/Sub or to Sentinel via the GCP connector.

Last updated: 2026-04-20 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1538 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1078.004Cloud AccountsT1087.004Cloud AccountT1530Data from Cloud StorageT1537Transfer Data to Cloud AccountT1526Cloud Service DiscoveryT1613Container and Resource DiscoveryT1069.003Cloud GroupsT1580Cloud Infrastructure DiscoveryT1110.003Password SprayingT1621Multi-Factor Authentication Request Generation

Same Tactic: Discovery

Popular Detections