T1650 Acquire Access Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

// T1650 — Acquire Access: Detect activated IAB-sold footholds via anomalous first-use authentication
let lookbackDays = 30d;
let alertWindowHours = 24h;
// Build baseline of known IPs and locations per user over past 30 days
let historicalBaseline = AADSignInLogs
| where TimeGenerated between (ago(lookbackDays) .. ago(alertWindowHours))
| where ResultType == 0
| summarize
    HistoricalIPs = make_set(IPAddress, 500),
    HistoricalCountries = make_set(Location, 100),
    AccountAgeInDays = count()
    by UserPrincipalName;
// Identify recent high-risk or anomalous successful sign-ins
let recentHighRiskSignins = AADSignInLogs
| where TimeGenerated > ago(alertWindowHours)
| where ResultType == 0
| where RiskLevelDuringSignIn in ("high", "medium")
    or RiskState in ("atRisk", "confirmedCompromised")
    or RiskDetail has_any ("unfamiliarFeatures", "anonymizedIPAddress", "maliciousIPAddress", "impossibleTravel", "newCountry")
| project
    TimeGenerated,
    UserPrincipalName,
    IPAddress,
    Location,
    AppDisplayName,
    DeviceDetail = tostring(DeviceDetail),
    RiskLevelDuringSignIn,
    RiskState,
    RiskDetail = tostring(RiskDetail),
    AuthenticationRequirement,
    ConditionalAccessStatus,
    CorrelationId;
// Join to baseline — flag new-country/new-IP access for established accounts
recentHighRiskSignins
| join kind=leftouter historicalBaseline on UserPrincipalName
| where AccountAgeInDays > 7 // Established account, not brand new
| where not(IPAddress in (HistoricalIPs))
| where not(Location in (HistoricalCountries))
| extend
    RiskScore = case(
        RiskLevelDuringSignIn == "high", 3,
        RiskLevelDuringSignIn == "medium", 2,
        1
    ),
    NewGeolocation = strcat("New country/IP for this account: ", Location, " / ", IPAddress),
    BrokerIndicators = case(
        RiskDetail has "anonymizedIPAddress", "TOR/VPN exit node — common IAB delivery mechanism",
        RiskDetail has "maliciousIPAddress", "Known malicious IP — potential broker infrastructure",
        RiskDetail has "impossibleTravel", "Impossible travel — credential handoff to remote threat actor",
        RiskDetail has "newCountry", "New country logon — new actor using acquired creds",
        "High-risk sign-in from unknown location"
    )
| where RiskScore >= 2
| project
    TimeGenerated,
    UserPrincipalName,
    IPAddress,
    Location,
    AppDisplayName,
    RiskLevelDuringSignIn,
    RiskState,
    BrokerIndicators,
    NewGeolocation,
    ConditionalAccessStatus,
    CorrelationId
| order by TimeGenerated desc

high severity medium confidence

Data Sources

Azure Active Directory Microsoft Entra ID Protection

Required Tables

AADSignInLogs

False Positives

Legitimate employee travel to a new country using personal or hotel WiFi triggering new geolocation detection
Corporate VPN exit node changes or new VPN infrastructure rollout causing unfamiliar IP signals
IT administrators using anonymizing proxies or jump hosts for infrastructure management from new regions
New employee first logon from home network or coworking space not in organizational baseline
Mergers/acquisitions onboarding new users from previously unseen IP ranges

Splunk

spl

| union
    [search index=wineventlog OR index=azure sourcetype="azure:aad:signin"
     | where result="0" AND risk_level_during_signin IN ("high", "medium")
     | eval broker_indicator=case(
         like(risk_detail, "%anonymizedIPAddress%"), "TOR/VPN exit node",
         like(risk_detail, "%maliciousIPAddress%"), "Known malicious IP",
         like(risk_detail, "%impossibleTravel%"), "Impossible travel - credential handoff",
         like(risk_detail, "%newCountry%"), "New country - new actor",
         true(), "High-risk unfamiliar sign-in"
     )
     | eval event_source="Azure AD Sign-In"
     | table _time, user, src_ip, location, app, risk_level_during_signin, risk_state, broker_indicator, event_source]
    [search index=wineventlog sourcetype="WinEventLog:Security" EventCode=4624
     | eval LogonTypeDesc=case(
         Logon_Type="10", "RemoteInteractive (RDP)",
         Logon_Type="3", "Network",
         Logon_Type="8", "NetworkCleartext",
         true(), "Other"
     )
     | where Logon_Type IN ("10", "3")
     | where NOT (src_ip="127.0.0.1" OR src_ip="::1" OR src_ip="-")
     | rex field=_raw "IpAddress:\s+(?<src_ip>[\d\.]+)"
     | eval event_source="Windows Security 4624"
     | eval broker_indicator="External network logon - validate against known IPs"
     | table _time, user, src_ip, LogonTypeDesc, broker_indicator, event_source]
| sort -_time
| eval detection_time=strftime(_time, "%Y-%m-%d %H:%M:%S")
| stats
    count AS auth_events,
    values(broker_indicator) AS broker_indicators,
    values(src_ip) AS source_ips,
    values(location) AS locations,
    values(event_source) AS sources,
    min(_time) AS first_seen,
    max(_time) AS last_seen
    by user
| where auth_events >= 1 AND mvcount(broker_indicators) >= 1
| eval risk_narrative=mvjoin(broker_indicators, " | ")
| eval ip_list=mvjoin(source_ips, ", ")
| table user, auth_events, risk_narrative, ip_list, locations, first_seen, last_seen
| sort -auth_events

high severity medium confidence

Data Sources

Azure AD Sign-In Logs Windows Security Event Log

Required Sourcetypes

azure:aad:signin WinEventLog:Security

False Positives

Executive travel to new countries triggering impossible travel and new geolocation alerts simultaneously
Corporate proxy or NAT changes making all users appear to sign in from new IP addresses
Third-party IT service providers with rotating IP ranges conducting legitimate remote management sessions
Help desk personnel using jump servers or remote access tools from centralized infrastructure
Cloud-hosted workstations (Azure Virtual Desktop, AWS WorkSpaces) with dynamic IP assignments

Elastic Security (EQL)

eql

any where event.dataset : "azure.*" and (
  event.action : ("Add*", "Update*", "Delete*", "Consent*") and
  not user.name : "service-*"
) or (
  event.dataset == "azure.signinlogs" and
  event.outcome == "success" and
  source.as.organization.name : ("Tor*", "VPN*")
)

high severity medium confidence

Data Sources

Azure Active Directory Elastic Azure Integration

Required Tables

logs-azure.auditlogs-* logs-azure.signinlogs-*

False Positives

Legitimate employee travel to a new country using personal or hotel WiFi triggering new geolocation detection
Corporate VPN exit node changes or new VPN infrastructure rollout causing unfamiliar IP signals
IT administrators using anonymizing proxies or jump hosts for infrastructure management from new regions

IBM QRadar (AQL)

sql

SELECT
    DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
    LOGSOURCENAME(logsourceid) AS LogSource,
    "username" AS UserPrincipalName,
    sourceip AS SourceIP,
    "EventName" AS Operation,
    CASE
        WHEN "EventName" ILIKE '%delete%' OR "EventName" ILIKE '%remove%' THEN 85
        WHEN "EventName" ILIKE '%add%' OR "EventName" ILIKE '%create%' THEN 70
        WHEN "EventName" ILIKE '%update%' THEN 65
        ELSE 55
    END AS RiskScore
FROM events
WHERE
    LOGSOURCETYPENAME(devicetype) IN ('Microsoft Azure', 'Azure Active Directory Audit Log')
    AND ("EventName" ILIKE '%subscription%'
        OR "EventName" ILIKE '%consent%'
        OR "EventName" ILIKE '%permission%'
        OR "EventName" ILIKE '%role%')
    AND RiskScore >= 65
ORDER BY EventTime DESC
LAST 24 HOURS

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Events Endpoint Agent

Required Tables

events

False Positives

Legitimate employee travel to a new country using personal or hotel WiFi triggering new geolocation detection
Corporate VPN exit node changes or new VPN infrastructure rollout causing unfamiliar IP signals
IT administrators using anonymizing proxies or jump hosts for infrastructure management from new regions

Sumo Logic CSE

sql

_sourceCategory=azure/audit OR _sourceCategory=azure/signin
| json auto
| where operation_name matches /(add|delete|update|consent|create)/i
| where !(initiated_by_user matches /service-/) 
| if(result_reason matches /fail/i, "Failed", "Success") as result
| if(operation_name matches /delete/i, 85,
    if(operation_name matches /consent/i, 80,
    if(operation_name matches /(add|create)/i, 70, 55))) as risk_score
| where risk_score >= 70
| count by initiated_by_user, operation_name, target_display_name, risk_score, source_ip
| sort - risk_score

high severity medium confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs Endpoint Telemetry

Required Tables

_sourceCategory=azure/audit OR _sourceCategory=azure/signin

False Positives

Legitimate employee travel to a new country using personal or hotel WiFi triggering new geolocation detection
Corporate VPN exit node changes or new VPN infrastructure rollout causing unfamiliar IP signals
IT administrators using anonymizing proxies or jump hosts for infrastructure management from new regions

Google Chronicle / SecOps

yaral

rule detection_t1650 {
  meta:
    author = "Argus Detection Platform"
    description = "Detects Acquire Access cloud activity - T1650"
    severity = "HIGH"
    mitre_attack = "T1650"
    reference = "https://attack.mitre.org/techniques/T1650/"

  events:
    $e.metadata.event_type = "USER_CHANGE"
    $e.principal.user.userid = $user
    $e.principal.ip = $source_ip
    $e.target.resource.name = $resource
    (
      re.regex($e.metadata.product_event_type, `(?i)(add|delete|consent|update|create)`) and
      not re.regex($e.principal.user.userid, `(?i)(service-|automation-|pipeline-)`)
    )

  condition:
    $e
}

high severity medium confidence

Data Sources

Azure AD Microsoft 365

Required Tables

USER_CHANGE RESOURCE_CREATION

False Positives

Legitimate employee travel to a new country using personal or hotel WiFi triggering new geolocation detection
Corporate VPN exit node changes or new VPN infrastructure rollout causing unfamiliar IP signals
IT administrators using anonymizing proxies or jump hosts for infrastructure management from new regions

CrowdStrike LogScale (CQL)

cql

#event_simpleName = "UserActivityAuditEvent"
| EventName = /(?i)(add|delete|consent|update|create)/
| UserName != /(?i)(service-|automation-|pipeline-)/
| case {
    EventName = /(?i)delete/ | RiskScore := "High" ;
    EventName = /(?i)consent/ | RiskScore := "High" ;
    EventName = /(?i)(add|create)/ | RiskScore := "Medium" ;
    * | RiskScore := "Low"
}
| RiskScore != "Low"
| table([UserName, EventName, TargetObjectId, SourceIPAddress, RiskScore, @timestamp])
| sort(@timestamp, order=desc, limit=100)

high severity medium confidence

Data Sources

CrowdStrike Falcon Identity Protection

Required Tables

UserActivityAuditEvent AuthActivityAuditEvent

False Positives

Legitimate employee travel to a new country using personal or hotel WiFi triggering new geolocation detection
Corporate VPN exit node changes or new VPN infrastructure rollout causing unfamiliar IP signals
IT administrators using anonymizing proxies or jump hosts for infrastructure management from new regions

Acquire Access

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Same Tactic: Resource Development

Popular Detections