T1538 Sumo Logic CSE · Sumo

Detect Cloud Service Dashboard in Sumo Logic CSE

An adversary may use a cloud service dashboard GUI with stolen credentials to gain useful information from an operational cloud environment, such as specific services, resources, and features. Cloud service dashboards (AWS Management Console, Azure Portal, GCP Cloud Console) provide rich graphical interfaces that may expose more configuration details than programmatic API calls, allowing adversaries to enumerate running instances, storage buckets, IAM roles, network configurations, and security findings. Because dashboard access uses standard web browser sessions, it may blend into legitimate user activity and bypass controls focused on API-level telemetry. Scattered Spider, for example, abused AWS Systems Manager Inventory after gaining console access to identify lateral movement targets.

MITRE ATT&CK

Tactic
Discovery
Technique
T1538 Cloud Service Dashboard
Canonical reference
https://attack.mitre.org/techniques/T1538/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory=*azure*signin* OR _sourceCategory=*aws*cloudtrail*)
| json field=_raw "properties.appDisplayName" as app_name nodrop
| json field=_raw "properties.userPrincipalName" as azure_user nodrop
| json field=_raw "properties.ipAddress" as src_ip nodrop
| json field=_raw "properties.location.countryOrRegion" as country nodrop
| json field=_raw "properties.riskLevelDuringSignIn" as risk_level nodrop
| json field=_raw "properties.authenticationRequirement" as auth_req nodrop
| json field=_raw "properties.status.errorCode" as error_code nodrop
| json field=_raw "eventName" as event_name nodrop
| json field=_raw "additionalEventData.MFAUsed" as mfa_used nodrop
| json field=_raw "userIdentity.type" as user_type nodrop
| json field=_raw "responseElements.ConsoleLogin" as console_result nodrop
| json field=_raw "userIdentity.userName" as aws_user nodrop
| where (app_name in ("Azure Portal", "Microsoft Azure Portal", "Azure Active Directory Portal", "Microsoft 365 admin center", "Azure DevOps")
        or event_name = "ConsoleLogin")
| eval is_high_risk_country = if(country in ("CN", "RU", "KP", "IR", "BY", "CU", "SY"), 1, 0)
| eval is_no_mfa = if(auth_req = "singleFactorAuthentication" or mfa_used = "No", 1, 0)
| eval is_root = if(user_type = "Root", 1, 0)
| eval is_failed = if((error_code != "0" and !isNull(error_code)) or console_result = "Failure", 1, 0)
| eval suspicion_score = is_high_risk_country + is_no_mfa + is_root + is_failed
| where suspicion_score > 0
| eval unified_user = if(!isNull(azure_user), azure_user, if(!isNull(aws_user), aws_user, "unknown"))
| table _time, unified_user, src_ip, app_name, event_name, country, risk_level, mfa_used, user_type, console_result, suspicion_score
| sort by suspicion_score desc
high severity medium confidence

Sumo Logic query correlating Azure AD sign-in logs and AWS CloudTrail ConsoleLogin events to detect suspicious cloud dashboard access (T1538). Calculates a composite suspicion score based on geolocation risk, MFA absence, root account usage, and authentication failures. Requires source categories matching Azure sign-in and AWS CloudTrail log paths.

Data Sources

Azure Active Directory Sign-In Logs (Sumo Logic Azure source)AWS CloudTrail (Sumo Logic AWS S3 source)

Required Tables

Logs under _sourceCategory matching *azure*signin* and *aws*cloudtrail*

False Positives & Tuning

  • Penetration testers or red team operators performing authorized cloud security assessments generating multiple failed authentication attempts against cloud dashboards
  • Users routing traffic through commercial VPNs with exit nodes in high-risk countries appearing to authenticate from flagged geolocations despite physical presence elsewhere
  • Cloud administrators using root credentials for emergency access during production incidents, simultaneously triggering the root account and no-MFA risk indicators
Download portable Sigma rule (.yml)

Other platforms for T1538

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 4 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1AWS Console Sign-In URL Generation via STS (Federated Access Simulation)

    Expected signal: AWS CloudTrail: GetFederationToken event from userIdentity of the caller IAM user, with requestParameters showing the policy document. The ConsoleLogin event in CloudTrail (eventSource: signin.amazonaws.com) fires when the generated URL is clicked in a browser, with additionalEventData.MFAUsed=No and userIdentity.type=FederatedUser.

  2. Test 2AWS Systems Manager Inventory Enumeration Post-Console-Access (Scattered Spider TTP)

    Expected signal: AWS CloudTrail: DescribeInstanceInformation (eventName), ListInventoryEntries, and ListDocuments events under eventSource=ssm.amazonaws.com. All events carry the caller's IAM identity, source IP, userAgent (aws-cli or browser), and requestParameters. If called from a browser console session, the userIdentity.sessionContext will reference the console session.

  3. Test 3Azure Portal Resource Enumeration via Azure CLI (Stolen Token Simulation)

    Expected signal: AzureActivity table in Sentinel: Microsoft.Resources/subscriptions/read, Microsoft.Resources/resourceGroups/read, Microsoft.Compute/virtualMachines/read, Microsoft.Storage/storageAccounts/read events with Caller matching the authenticated user principal. AADSignInLogs: service principal or user sign-in event for Azure CLI app (appId: 04b07795-8ddb-461a-bbee-02f9e1bf7b46). All events carry the source IP of the machine running the CLI.

  4. Test 4GCP Cloud Console Asset Enumeration via gcloud CLI

    Expected signal: GCP Cloud Audit Logs: cloudresourcemanager.googleapis.com/projects.list, compute.instances.list, storage.buckets.list, iam.projects.getIamPolicy, and securitycenter.findings.list data access events. All entries include principalEmail (the caller), callerIp, userAgent (cloud-sdk/gcloud), and methodName. These logs appear in Cloud Audit Logs — Data Access log type and can be exported to Splunk via Pub/Sub or to Sentinel via the GCP connector.

Last updated: 2026-04-20 Research depth: deep
References (8)

Unlock Pro Content

Get the full detection package for T1538 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Related Techniques

T1078.004Cloud AccountsT1087.004Cloud AccountT1530Data from Cloud StorageT1537Transfer Data to Cloud AccountT1526Cloud Service DiscoveryT1613Container and Resource DiscoveryT1069.003Cloud GroupsT1580Cloud Infrastructure DiscoveryT1110.003Password SprayingT1621Multi-Factor Authentication Request Generation

Same Tactic: Discovery

Popular Detections