/
detect_new_user_aws_console_login.yml
53 lines (53 loc) · 2.3 KB
/
detect_new_user_aws_console_login.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
name: Detect new user AWS Console Login
id: ada0f478-84a8-4641-a3f3-d82362dffd75
version: 2
date: '2020-07-21'
author: Bhavin Patel, Splunk
status: deprecated
type: Hunting
description: This search looks for AWS CloudTrail events wherein a console login event
by a user was recorded within the last hour, then compares the event to a lookup
file of previously seen users (by ARN values) who have logged into the console.
The alert is fired if the user has logged into the console for the first time within
the last hour. Deprecated now this search is updated to use the Authentication datamodel.
data_source: []
search: '`cloudtrail` eventName=ConsoleLogin | rename userIdentity.arn as user | stats
earliest(_time) as firstTime latest(_time) as lastTime by user | inputlookup append=t
previously_seen_users_console_logins_cloudtrail | stats min(firstTime) as firstTime
max(lastTime) as lastTime by user | eval userStatus=if(firstTime >= relative_time(now(),
"-70m@m"), "First Time Logging into AWS Console","Previously Seen User") | `security_content_ctime(firstTime)`|`security_content_ctime(lastTime)`|
where userStatus ="First Time Logging into AWS Console" | `detect_new_user_aws_console_login_filter`'
how_to_implement: You must install the AWS App for Splunk (version 5.1.0 or later)
and Splunk Add-on for AWS (version 4.4.0 or later), then configure your AWS CloudTrail
inputs. Run the "Previously seen users in AWS CloudTrail" support search only once
to create a baseline of previously seen IAM users within the last 30 days. Run "Update
previously seen users in AWS CloudTrail" hourly (or more frequently depending on
how often you run the detection searches) to refresh the baselines.
known_false_positives: When a legitimate new user logins for the first time, this
activity will be detected. Check how old the account is and verify that the user
activity is legitimate.
references: []
tags:
analytic_story:
- Suspicious AWS Login Activities
asset_type: AWS Instance
confidence: 50
impact: 50
message: tbd
mitre_attack_id:
- T1078.004
observable:
- name: field
type: Unknown
role:
- Unknown
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- eventName
- userIdentity.arn
risk_score: 25
security_domain: network