T1538 Splunk · SPL

Detect Cloud Service Dashboard in Splunk

An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. Cloud service dashboards (AWS Management Console, Azure Portal, GCP Cloud Console) provide rich graphical interfaces that may expose more configuration details than programmatic API calls, allowing adversaries to enumerate running instances, storage buckets, IAM roles, network configurations, and security findings. Because dashboard access uses standard web browser sessions, it may blend into legitimate user activity and bypass controls focused on API-level telemetry. Scattered Spider, for example, abused AWS Systems Manager Inventory after gaining console access to identify lateral movement targets.

MITRE ATT&CK

Tactic
Discovery
Technique
T1538 Cloud Service Dashboard
Canonical reference
https://attack.mitre.org/techniques/T1538/

SPL Detection Query

Splunk (SPL)
spl 
| tstats count min(_time) as firstSeen max(_time) as lastSeen from datamodel=Authentication where Authentication.action=* by Authentication.src, Authentication.user, Authentication.app, Authentication.action
| search Authentication.app IN ("*portal*", "*console*", "*dashboard*", "*admin*")
| rename Authentication.* as *
| eval is_failed=if(action=="failure", 1, 0)
| stats count as TotalEvents, sum(is_failed) as FailedAttempts, values(app) as Apps, values(src) as SourceIPs, earliest(firstSeen) as Earliest, latest(lastSeen) as Latest by user
| where FailedAttempts > 3 OR TotalEvents > 20
| sort - FailedAttempts
| append
    [search index=aws sourcetype=aws:cloudtrail eventName=ConsoleLogin
    | eval mfa_used=coalesce('additionalEventData.MFAUsed', "Unknown")
    | eval console_result=coalesce('responseElements.ConsoleLogin', "Unknown")
    | eval user_type=coalesce('userIdentity.type', "Unknown")
    | eval username=coalesce('userIdentity.userName', 'userIdentity.arn', "unknown")
    | eval is_root=if(user_type=="Root", 1, 0)
    | eval no_mfa=if(mfa_used=="No", 1, 0)
    | eval is_failed_login=if(console_result=="Failure", 1, 0)
    | eval SuspicionScore=is_root + no_mfa + is_failed_login
    | where SuspicionScore > 0
    | table _time, username, sourceIPAddress, userAgent, mfa_used, user_type, console_result, awsRegion, SuspicionScore
    | sort - _time]
medium severity medium confidence

Primary SPL detection uses the Authentication data model to identify suspicious cloud portal and console access patterns across multiple authentication sources. Flags users with repeated failed login attempts to portal/console/dashboard apps or abnormally high access volume. Appended search specifically targets AWS CloudTrail ConsoleLogin events, flagging root account access, console logins without MFA, and failed console login attempts. Suspicion scoring aggregates multiple risk indicators for analyst prioritization.

Data Sources

Logon Session: Logon Session CreationCloud Service: Cloud Service MetadataAWS CloudTrailAuthentication Data Model

Required Sourcetypes

aws:cloudtrail

False Positives & Tuning

  • Legitimate administrators performing cloud infrastructure reviews will generate high portal access counts, especially during audit periods or incident response activities
  • Break-glass root account usage for emergency administrative tasks may trigger root console login alerts despite being authorized and documented
  • Security tooling that aggregates cloud console sessions for compliance reporting may create authentication log entries matching console app patterns
  • Cloud training environments and sandbox accounts where developers test console functionality frequently log unusual access patterns
Download portable Sigma rule (.yml)

Other platforms for T1538

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS Console Sign-In URL Generation via STS (Federated Access Simulation)

    Expected signal: AWS CloudTrail: GetFederationToken event from userIdentity of the caller IAM user, with requestParameters showing the policy document. The ConsoleLogin event in CloudTrail (eventSource: signin.amazonaws.com) fires when the generated URL is clicked in a browser, with additionalEventData.MFAUsed=No and userIdentity.type=FederatedUser.

  2. Test 2AWS Systems Manager Inventory Enumeration Post-Console-Access (Scattered Spider TTP)

    Expected signal: AWS CloudTrail: DescribeInstanceInformation (eventName), ListInventoryEntries, and ListDocuments events under eventSource=ssm.amazonaws.com. All events carry the caller's IAM identity, source IP, userAgent (aws-cli or browser), and requestParameters. If called from a browser console session, the userIdentity.sessionContext will reference the console session.

  3. Test 3Azure Portal Resource Enumeration via Azure CLI (Stolen Token Simulation)

    Expected signal: AzureActivity table in Sentinel: Microsoft.Resources/subscriptions/read, Microsoft.Resources/resourceGroups/read, Microsoft.Compute/virtualMachines/read, Microsoft.Storage/storageAccounts/read events with Caller matching the authenticated user principal. AADSignInLogs: service principal or user sign-in event for Azure CLI app (appId: 04b07795-8ddb-461a-bbee-02f9e1bf7b46). All events carry the source IP of the machine running the CLI.

  4. Test 4GCP Cloud Console Asset Enumeration via gcloud CLI

    Expected signal: GCP Cloud Audit Logs: cloudresourcemanager.googleapis.com/projects.list, compute.instances.list, storage.buckets.list, iam.projects.getIamPolicy, and securitycenter.findings.list data access events. All entries include principalEmail (the caller), callerIp, userAgent (cloud-sdk/gcloud), and methodName. These logs appear in Cloud Audit Logs — Data Access log type and can be exported to Splunk via Pub/Sub or to Sentinel via the GCP connector.

Last updated: 2026-04-20 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1538 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1078.004Cloud AccountsT1087.004Cloud AccountT1530Data from Cloud StorageT1537Transfer Data to Cloud AccountT1526Cloud Service DiscoveryT1613Container and Resource DiscoveryT1069.003Cloud GroupsT1580Cloud Infrastructure DiscoveryT1110.003Password SprayingT1621Multi-Factor Authentication Request Generation

Same Tactic: Discovery

Popular Detections