/
aws_high_number_of_failed_authentications_for_user.yml
62 lines (62 loc) · 2.19 KB
/
aws_high_number_of_failed_authentications_for_user.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
name: AWS High Number Of Failed Authentications For User
id: e3236f49-daf3-4b70-b808-9290912ac64d
version: 1
date: '2023-01-27'
author: Bhavin Patel, Splunk
status: production
type: Anomaly
description: The following analytic identifies an AWS account with more than 20 failed
authentication events in the span of 5 minutes. This behavior could represent a
brute force attack against the account. As environments differ across organizations,
security teams should customize the threshold of this detection.
data_source:
- AWS CloudTrail ConsoleLogin
search: '`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time
| stats dc(_raw) AS failed_attempts values(src_ip) as src_ip values(user_agent)
by _time, user_name, eventName, eventSource aws_account_id | where failed_attempts
> 20 | `aws_high_number_of_failed_authentications_for_user_filter`'
how_to_implement: You must install Splunk AWS Add on and Splunk App for AWS. This
search works with AWS CloudTrail logs.
known_false_positives: A user with more than 20 failed authentication attempts in
the span of 5 minutes may also be triggered by a broken application.
references:
- https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html
tags:
analytic_story:
- Compromised User Account
- AWS Identity and Access Management Account Takeover
asset_type: AWS Account
confidence: 70
impact: 50
message: User $user_name$ failed to authenticate more than 20 times in the span
of 5 minutes for AWS Account $aws_account_id$
mitre_attack_id:
- T1201
observable:
- name: user_name
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- eventName
- userAgent
- errorCode
- requestParameters.userName
- eventSource
- user_arn
- aws_account_id
- src_ip
risk_score: 35
security_domain: threat
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/aws_multiple_login_fail_per_user/cloudtrail.json
sourcetype: aws:cloudtrail
source: aws_cloudtrail
update_timestamp: true