Skip to content

DET0291 Detection of Cloud Service Dashboard Usage via GUI-Based Cloud Access

Item Value
ID DET0291
Version 1.0
Created 21 October 2025
Last Modified 21 October 2025

Technique Detected: T1538 (Cloud Service Dashboard)

Analytics

IaaS

AN0808

Detects web console login events followed by read-only or metadata retrieval activity from GUI sources (e.g., browser session, mobile client) rather than API/CLI sources. Correlates across CloudTrail, IAM identity logs, and user-agent context.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) AWS:CloudTrail ConsoleLogin
Cloud Storage Metadata (DC0027) AWS:CloudTrail Post-authentication metadata enumeration from GUI session
Mutable Elements
Field Description
UserAgentFilter Allowlist/denylist of user agents to distinguish browser-based vs. CLI/API sessions
TimeWindow Maximum time delta between login and suspicious GUI activity
PrivilegedSessionThreshold Login attempts to dashboard using elevated IAM roles

Identity Provider

AN0809

Detects successful login to cloud identity portals (e.g., Okta, Azure AD, Google Identity) from atypical geolocations, devices, or user agents immediately followed by dashboard/portal navigation to sensitive pages such as user or app configuration.

Log Sources
Data Component Name Channel
User Account Authentication (DC0002) azure:signinlogs Sign-in with unfamiliar location/device + portal navigation
Logon Session Creation (DC0067) saas:okta user.session.start
Application Log Content (DC0038) saas:okta WebUI access to administrator dashboard
Mutable Elements
Field Description
GeoIPAnomalyThreshold Threshold for location anomalies per user profile
UserAgentReputation Unknown browser/device fingerprint list
PrivilegedPageAccess List of sensitive dashboard views for alerting

Office Suite

AN0810

Detects login to admin consoles (e.g., Microsoft 365 Admin Center) from unrecognized users, devices, or geolocations followed by non-API data review or configuration read actions that suggest GUI dashboard use.

Log Sources
Data Component Name Channel
User Account Authentication (DC0002) m365:signinlogs UserLoginSuccess
Logon Session Creation (DC0067) m365:unified ViewAdminReport
Application Log Content (DC0038) m365:unified Read-only configuration review from GUI
Mutable Elements
Field Description
AdminRoleList Roles allowed to access dashboard views
DashboardNavigationSequence Pageview paths or clickstreams indicating use of GUI admin console
GeoLocationRisk List of high-risk regions or unexpected geos

SaaS

AN0811

Detects SaaS web login followed by dashboard or web GUI page views from unfamiliar locations, devices, or access patterns. Identifies use of sensitive reporting or configuration consoles accessed from high-risk accounts.

Log Sources
Data Component Name Channel
Logon Session Creation (DC0067) saas:zoom Zoom Admin Dashboard accessed from unfamiliar IP/device
User Account Authentication (DC0002) saas:salesforce Login
Application Log Content (DC0038) saas:box User navigated to admin interface
Mutable Elements
Field Description
SaaSDashboardViewList List of GUI pages or endpoints considered sensitive
IPReputationThreshold Reputation score or allowlist of source IPs
LoginBehaviorBaseline Typical user/device login pairings or login frequency