T1586 Sumo Logic CSE · Sumo

Detect Compromise Accounts in Sumo Logic CSE

This detection identifies indicators of compromised accounts being leveraged against the organization, including credential stuffing attacks that transition from repeated failures to success, impossible travel anomalies where a single identity authenticates from geographically distant locations within an implausible timeframe, sign-ins from known hosting or anonymization infrastructure, and MFA bypass patterns consistent with session token theft or adversary-in-the-middle phishing toolkits such as Evilginx2 or Modlishka. Because T1586 is a PRE-ATT&CK technique occurring outside the victim environment, detections focus on the observable authentication artifacts generated when adversaries weaponize stolen credentials or session material against organizational identity providers including Azure AD, on-premises Active Directory, and SaaS application login flows.

MITRE ATT&CK

Tactic
Resource Development
Technique
T1586 Compromise Accounts
Canonical reference
https://attack.mitre.org/techniques/T1586/

Sumo Detection Query

Sumo Logic CSE (Sumo)
sql 
(_sourceCategory="os/windows/security"
  OR _sourceCategory="azure/signinlogs"
  OR _sourceCategory="okta/systemlog")
| parse field=_raw "EventCode=*" as EventCode nodrop
| parse field=_raw "\"resultType\":\"*\"" as ResultType nodrop
| parse field=_raw "TargetUserName=*\n" as TargetUser nodrop
| parse field=_raw "\"userPrincipalName\":\"*\"" as UPN nodrop
| parse field=_raw "IpAddress=*\n" as WinIP nodrop
| parse field=_raw "\"ipAddress\":\"*\"" as AzureIP nodrop
| eval AuthUser = if(!isNull(UPN) and UPN != "", UPN, TargetUser)
| eval SrcIP = if(!isNull(AzureIP) and AzureIP != "", AzureIP, WinIP)
| eval IsFailure = if(
    EventCode in ("4625", "4776")
    or (ResultType != "0" and !isNull(ResultType)
        and ResultType != "50053" and ResultType != "50076"),
    1, 0)
| eval IsSuccess = if(
    EventCode in ("4624", "4648")
    or ResultType == "0",
    1, 0)
| where !isNull(AuthUser)
  and AuthUser != "-"
  and AuthUser != ""
  and !matches(AuthUser, ".*\\$$")
| stats
    sum(IsFailure)         as FailureCount,
    sum(IsSuccess)         as SuccessCount,
    dcount(SrcIP)          as UniqueIPs,
    values(SrcIP)          as IPList,
    min(_messageTime)      as FirstSeen,
    max(_messageTime)      as LastSeen
    by AuthUser
| where FailureCount >= 5 and SuccessCount >= 1
| eval WindowMinutes = round((LastSeen - FirstSeen) / 60000, 1)
| eval RiskScore = if(UniqueIPs > 10, 95,
                   if(UniqueIPs > 5,  85,
                   if(UniqueIPs > 2,  70, 55)))
| eval DetectionType = "CredentialStuffingThenSuccess"
| fields AuthUser, FailureCount, SuccessCount, UniqueIPs, IPList,
         WindowMinutes, RiskScore, DetectionType, FirstSeen, LastSeen
| sort by RiskScore desc
high severity medium confidence

Sumo Logic scheduled search detecting T1586 credential stuffing across Windows Security Event logs (EventCode 4624, 4625, 4648, 4776), Azure AD sign-in logs (resultType 0 = success), and Okta System Log entries. Uses nodrop parse statements to handle heterogeneous source formats without dropping non-matching events, normalises username and source IP fields across log types, then aggregates per account to identify accounts experiencing repeated authentication failures followed by success. Deploy as a scheduled search with a 24-hour time range running every 30 minutes. Adjust _sourceCategory values to match your collection configuration. For Cloud SIEM Enterprise (CSE) deployments replace extracted fields with normalised schema fields: user_username, srcDevice_ip, and normalizedAction fields provided by the CSE normalisation layer.

Data Sources

Windows Security Event Log via Sumo Logic Installed CollectorAzure Active Directory Sign-in Logs via Azure Monitor or Diagnostic SettingsOkta System Log via Sumo Logic Okta AppMicrosoft 365 Unified Audit Log

Required Tables

_sourceCategory matching os/windows/security_sourceCategory matching azure/signinlogs_sourceCategory matching okta/systemlog

False Positives & Tuning

  • Users who forget their password after a long weekend or holiday and attempt several times before successfully invoking self-service password reset, particularly common at domain logon from new devices where cached credentials are absent
  • Scheduled tasks or service accounts with a stale password configuration that retry on a fixed interval until a secret-rotation job updates the stored credential, generating burst failures before a single success
  • Multi-tenant Sumo Logic deployments sharing a single _sourceCategory across multiple organisations where a common username (e.g. admin, administrator) exists in multiple tenants, causing cross-tenant aggregation that artificially inflates FailureCount
Download portable Sigma rule (.yml)

Other platforms for T1586

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulate credential stuffing authentication pattern using PowerShell against Azure AD

    Expected signal: AADSignInLogs will show 6 ResultType != 0 events followed by 1 ResultType == 0 event for the test UPN from the same source IP within a short time window. RiskState may update in AADRiskyUsers within 15-30 minutes.

  2. Test 2Simulate legacy protocol authentication bypass against Exchange Online (SMTP AUTH)

    Expected signal: AADSignInLogs entry with ClientAppUsed='Authenticated SMTP', AuthenticationRequirement='singleFactorAuthentication', ResultType=0 for the test account. This event will NOT appear in modern auth logs, validating the legacy auth gap.

  3. Test 3Simulate account compromise indicators via failed then successful Windows network logon from multiple sources

    Expected signal: Windows Security EventID 4625 (LogonType 3, SubStatus 0xC000006A = wrong password) six times followed by EventID 4624 (LogonType 3) once for the test account in the domain controller Security event log. Source workstation will be the executing host.

Last updated: 2026-04-13 Research depth: deep
References (6)

Unlock Pro Content

Get the full detection package for T1586 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Sub-techniques (3)

Related Techniques

T1598Phishing for InformationT1110Brute ForceT1110.001Password GuessingT1110.004Credential StuffingT1566PhishingT1534Internal SpearphishingT1539Steal Web Session CookieT1078Valid AccountsT1585Establish AccountsT1586.001Social Media AccountsT1586.002Email AccountsT1586.003Cloud Accounts

Same Tactic: Resource Development

Popular Detections