Valid Accounts: Cloud Accounts T1078.004

Events covered

2 catalog events are tagged with this technique by at least one rule.

Authoring guide

Patterns shared across the 290 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (344 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

Top indicator values (928 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

Exclusions (278 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Sigma 47 rules

• Account Disabled or Blocked for Sign in Attempts
• Application AppID Uri Configuration Changes
• Application URI Configuration Changes
• Attempt To Get Credentials For Identity
• Attempt To Get Federation Token
• Attempt To Get Signin Token
• AWS IAM S3Browser LoginProfile Creation
• AWS IAM S3Browser Templated S3 Bucket Policy Creation
• AWS IAM S3Browser User or AccessKey Creation
• AWS Root Credentials
• AWS SAML Provider Deletion Activity
• AWS Successful Console Login Without MFA
• Azure AD Only Single Factor Authentication Required
• Azure Subscription Permission Elevation Via ActivityLogs
• Bitbucket User Login Failure
• Bitlocker Key Retrieval
• Changes To PIM Settings
• Device Registration or Join Without MFA
• Failed Authentications From Countries You Do Not Operate Out Of
• Get Credentials For Identity
• Get Federation Token
• Get Signin Token
• Github New Secret Created
• Github Self Hosted Runner Changes Detected
• Github SSH Certificate Configuration Changed
• Guest User Invited By Non Approved Inviters
• Login to Disabled Account
• macOS SSH Connection Detection
• Multifactor Authentication Denied
• Multifactor Authentication Interrupted
• Okta New Admin Console Behaviours
• Password Reset By User Account
• PIM Approvals And Deny Elevation
• Potential MFA Bypass Using Legacy Client Authentication
• Privileged Account Creation
• Sign-in Failure Due to Conditional Access Requirements Not Met
• Sign-ins by Unknown Devices
• Sign-ins from Non-Compliant Devices
• Successful Authentications From Countries You Do Not Operate Out Of
• Suspicious Login Activity Classified By Google
• Temporary Access Pass Added To An Account
• Use of Legacy Authentication Protocols
• User Access Blocked by Azure Conditional Access
• User Added To Privilege Role
• User State Changed From Guest To Member
• Users Added to Global or Device Admin Roles
• Users Authenticating To Other Azure AD Tenants

Elastic 119 rules

• AWS Access Token Used from Multiple Addresses
• AWS AssumeRoleWithWebIdentity from Kubernetes SA and External ASN
• AWS Bedrock Foundation Model Enumeration Followed by Invocation via Long-Term Key
• AWS CloudShell Environment Created
• AWS Credentials Used from GitHub Actions and Non-CI/CD Infrastructure
• AWS EC2 Instance Console Login via Assumed Role
• AWS EC2 Instance Interaction with IAM Service
• AWS EC2 Instance Profile Associated with Running Instance
• AWS EC2 Unauthorized Admin Credential Fetch via Assumed Role
• AWS IAM API Calls via Temporary Session Tokens
• AWS IAM Assume Role Policy Update
• AWS IAM CompromisedKeyQuarantine Policy Attached to User
• AWS IAM Login Profile Added for Root
• AWS IAM Login Profile Added to User
• AWS IAM Long-Term Access Key Correlated with Elevated Detection Alerts
• AWS IAM Long-Term Access Key First Seen from Source IP
• AWS IAM OIDC Provider Created by Rare User
• AWS IAM SAML Provider Created
• AWS IAM Sensitive Operations via Lambda Execution Role
• AWS IAM Virtual MFA Device Registration Attempt with Session Token
• AWS Management Console Root Login
• AWS Rare Source AS Organization Activity
• AWS Sign-In Console Login with Federated User
• AWS Sign-In Root Password Recovery Requested
• AWS Sign-In Token Created
• AWS STS AssumeRole with New MFA Device
• AWS STS AssumeRoot by Rare User and Member Account
• AWS STS GetSessionToken Usage
• AWS STS Role Assumption by User
• AWS STS Role Chaining
• AWS Suspicious User Agent Fingerprint
• Azure Arc Cluster Credential Access by Identity from Unusual Source
• Azure Kubernetes Services (AKS) Kubernetes Rolebindings Created
• Azure Service Principal Sign-In Followed by Arc Cluster Credential Access
• Azure Storage Account Keys Accessed by Privileged User
• Entra ID Actor Token User Impersonation Abuse
• Entra ID Concurrent Sign-in with Suspicious Properties
• Entra ID High Risk Sign-in
• Entra ID High Risk User Sign-in Heuristic
• Entra ID Kali365 Default User-Agent Detected
• Entra ID Microsoft Authentication Broker Sign-In to Unusual Resource
• Entra ID Microsoft Authentication Broker Sign-In with Non-Standard User Agent
• Entra ID OAuth Authorization Code Grant for Unusual User, App, and Resource
• Entra ID OAuth Device Code Flow with Concurrent Sign-ins
• Entra ID OAuth Device Code Grant by Microsoft Authentication Broker
• Entra ID OAuth Device Code Grant by Unusual User
• Entra ID OAuth Device Code Phishing via AiTM
• Entra ID OAuth Flow by Microsoft Authentication Broker to Device Registration Service (DRS)
• Entra ID OAuth Phishing via First-Party Microsoft Application
• Entra ID OAuth PRT Issuance to Non-Managed Device Detected
• Entra ID OAuth ROPC Grant Login Detected
• Entra ID OAuth User Impersonation to Microsoft Graph
• Entra ID OAuth user_impersonation Scope for Unusual User and Client
• Entra ID PowerShell Sign-in
• Entra ID Protection - Risk Detection - Sign-in Risk
• Entra ID Protection - Risk Detection - User Risk
• Entra ID Protection Admin Confirmed Compromise
• Entra ID Protection Alerts for User Detected
• Entra ID Protection User Alert and Device Registration
• Entra ID Service Principal Federated Credential Authentication by Unusual Client
• Entra ID Service Principal with Unusual Source ASN
• Entra ID Sharepoint or OneDrive Accessed by Unusual Client
• Entra ID User Added as Service Principal Owner
• Entra ID User Reported Suspicious Activity
• Entra ID User Sign-in with Unusual Authentication Type
• Entra ID User Sign-in with Unusual Client
• Entra ID User Sign-in with Unusual Non-Managed Device
• External User Added to Google Workspace Group
• First Occurrence of GitHub Repo Interaction From a New IP
• First Occurrence of IP Address For GitHub Personal Access Token (PAT)
• First Occurrence of IP Address For GitHub User
• First Occurrence of Okta User Session Started via Proxy
• First Occurrence of Personal Access Token (PAT) Use For a GitHub User
• First Occurrence of Private Repo Event from Specific GitHub Personal Access Token (PAT)
• First Occurrence of User Agent For a GitHub Personal Access Token (PAT)
• First Occurrence of User-Agent For a GitHub User
• First Time Seen Google Workspace OAuth Login from Third-Party Application
• FortiGate FortiCloud SSO Login from Unusual Source
• Github Activity on a Private Repository from an Unusual IP
• Google Workspace Device Registration Burst for Single User
• Google Workspace Login Flagged Suspicious
• Google Workspace Suspended User Account Renewed
• Google Workspace User Login with Unusual ASN
• Google Workspace User Sign-in from Atypical Device Type
• High Number of Okta User Password Reset or Unlock Attempts
• M365 Entra ID Risk Detection Signal
• M365 Identity Login from Atypical Region
• M365 Identity Login from Impossible Travel Location
• M365 Identity OAuth Flow by First-Party Microsoft App from Multiple IPs
• M365 Identity OAuth Phishing via First-Party Microsoft Application
• M365 Identity Unusual SSO Authentication Errors for User
• M365 Identity User Account Lockouts
• Microsoft Graph Request User Impersonation by Unusual Client
• Multiple Okta User Auth Events with Same Device Token Hash Behind a Proxy
• New Okta Authentication Behavior Detected
• Okta Admin Console Login Failure
• Okta Alerts Following Unusual Proxy Authentication
• Okta Sign-In Events via Third-Party IdP
• Okta Successful Login After Credential Attack
• Okta User Session Impersonation
• Okta User Sessions Started from Different Geolocations
• Potential Okta MFA Bombing via Push Notifications
• Potentially Successful Okta MFA Bombing via Push Notifications
• Successful Application SSO from Rare Unknown Client Device
• Unauthorized Access to an Okta Application
• Unauthorized Scope for Public App OAuth2 Token Grant with Client Credentials
• Unusual AWS Command for a User
• Unusual AWS S3 Object Encryption with SSE-C
• Unusual Azure Activity Logs Event for a User
• Unusual City For a GCP Event
• Unusual City For an AWS Command
• Unusual City for an Azure Activity Logs Event
• Unusual Country For a GCP Event
• Unusual Country For an AWS Command
• Unusual Country for an Azure Activity Logs Event
• Unusual GCP Event for a User
• Unusual Host Name for Okta Privileged Operations Detected
• Unusual Region Name for Okta Privileged Operations Detected
• Unusual Source IP for Okta Privileged Operations Detected

Splunk 20 rules

• ASL AWS Create Policy Version to allow all resources
• AWS Create Policy Version to allow all resources
• AWS SetDefaultPolicyVersion
• AWS Successful Single-Factor Authentication
• Azure AD Authentication Failed During MFA Challenge
• Azure AD Multiple Failed MFA Requests For User
• Azure AD Service Principal Authentication
• Azure AD Successful PowerShell Authentication
• Azure AD Successful Single-Factor Authentication
• Azure Runbook Webhook Created
• Cloud Compute Instance Created By Previously Unseen User
• Cloud Instance Modified By Previously Unseen User
• GCP Authentication Failed During MFA Challenge
• GCP Multiple Failed MFA Requests For User
• GCP Successful Single-Factor Authentication
• O365 Security And Compliance Alert Triggered
• Okta Authentication Failed During MFA Challenge
• Okta Successful Single Factor Authentication
• Okta ThreatInsight Threat Detected
• Windows Entra User Management Via Azure CLI

Kusto 58 rules

• Account Created and Deleted in Short Timeframe
• Account created or deleted by non-approved user
• Account Elevated to New Role
• Addition of a Temporary Access Pass to a Privileged Account
• Admin promotion after Role Management Application Permission Grant
• Anomalous Single Factor Signin
• Application ID URI Changed
• Application Redirect URL Update
• Authentication Attempt from New Country
• Authentications of Privileged Accounts Outside of Expected Controls
• Bulk Changes to Privileged Account Permissions
• Changes to Application Logout URL
• Changes to Application Ownership
• Changes to PIM Settings
• Conditional Access Policy Modified by New User
• Cross-tenant Access Settings Organization Added
• Cross-tenant Access Settings Organization Deleted
• Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed
• Cross-tenant Access Settings Organization Inbound Direct Settings Changed
• Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed
• Cross-tenant Access Settings Organization Outbound Direct Settings Changed
• Detect changes to Connect Sync Application
• Detect credential add to Connect Sync Application
• Detect device code login with user risk
• End-user consent stopped due to risk-based consent
• External guest invitation followed by Microsoft Entra ID PowerShell signin
• GCP Audit Logs - Data Access Logging Exemption Added for Principal
• GCP Audit Logs - Storage Bucket Made Public
• Guest accounts added in Entra ID Groups other than the ones specified
• Guest Users Invited to Tenant by New Inviters
• High-Risk Cross-Cloud User Impersonation
• MFA Rejected by User
• Microsoft Entra ID Role Management Permission Grant
• New PA, PCA, or PCAS added to Azure DevOps
• New User Assigned to Privileged Role
• NRT PIM Elevation Request Rejected
• NRT Privileged Role Assigned Outside PIM
• PIM Elevation Request Rejected
• Possible AiTM Phishing Attempt Against Microsoft Entra ID
• Privileged Account Permissions Changed
• Privileged Accounts - Sign in Failure Spikes
• Privileged Role Assigned Outside PIM
• Privileged User Logon from new ASN
• Service Principal Assigned App Role With Sensitive Access
• Service Principal Assigned Privileged Role
• Service Principal Authentication Attempt from New Country
• SlackAudit - User login after deactivated.
• Suspicious linking of existing user to external User
• Suspicious Login from deleted guest account
• Suspicious modification of Global Administrator user properties
• Suspicious Sign In by Entra ID Connect Sync Account
• Suspicious Sign In Followed by MFA Modification
• Threat Essentials - User Assigned Privileged Role
• URL Added to Application from Unknown Domain
• User Accounts - Sign in Failure due to CA Spikes
• User Added to Admin Role
• User Assigned New Privileged Role
• User Login from Different Countries within 3 hours

YARA-L 15 rules

• AWS API Call Outside Of Organization
• AWS Console Login Without MFA
• AWS IAM Administrator Access Policy Attached
• AWS User Creates Permanent Access Key
• Entra ID Admin Login Activity to Uncommon MS Cloud Apps
• Entra ID Login Activity to Uncommon MS Cloud Apps
• GCP Workload Identity Pool Disabled Or Deleted
• Google Workspace External User Added To Group
• Google Workspace User Unsuspended
• O365 Admin Login Activity To Uncommon Microsoft Cloud Apps
• O365 Login Activity To Azure AD PowerShell App
• O365 Login Activity To Uncommon Microsoft Cloud Apps
• OneLogin Multiple Users Login Failures From The Same IP
• OneLogin Super User Privileges Assigned
• OneLogin User Logins From Multiple Countries

Panther 31 rules

• AWS Compromised IAM Key Quarantine
• AWS IMDS Credential Usage Outside Expected Services
• Azure Automation Runbook Created or Modified
• Azure Device Code Authentication with Broker Client
• Azure Kubernetes RoleBinding or ClusterRoleBinding Created
• Azure Microsoft Graph Single Session from Multiple IP Addresses
• Azure Policy DeployIfNotExists Action Triggered
• Azure Privileged or Elevated Role Assignment
• Azure Protection Multiple Alerts for User
• Azure ROPC Login Attempt Without MFA
• GAIA GCPW Credential Theft Attack Chain
• GCP User Added to Privileged Group
• Google Workspace Login Type Anomaly
• Google Workspace OAuth Application Authorized with Privileged Scopes
• Google Workspace OAuth Token Requests from New IP
• Google Workspace Rapid Multi-IP Authentication
• IAM Role Added to RDS Instance or Cluster
• Kubernetes ClusterRoleBinding to Privileged Role
• Kubernetes Role With Node Proxy Permissions Created
• Kubernetes Role With Pod Exec Permissions Created
• Kubernetes Role With Wildcard Permissions Created
• Kubernetes Service Account Token Theft from Pod
• Kubernetes System Role Modified or Deleted
• Okta AiTM Phishing Attempt Blocked by FastPass
• Okta New Behaviors Acessing Admin Console
• Okta Org2Org application created of modified
• Sign In from Rogue State
• Slack Primary Owner Transferred
• Suspicious Snowflake Sessions - Unusual Application
• Wiz Rotate Service Account Secret
• Wiz Service Account Change