LoFP LoFP / t1586.003

t1586.003

TitleTags
a source ip failing to authenticate with multiple users in a short period of time is not common legitimate behavior.
a source ip failing to authenticate with multiple users is not a common for legitimate behavior.
a user may have accidentally entered the wrong credentials during the mfa challenge. if the user is new to mfa, they may have trouble authenticating. ensure that the user is aware of the mfa process and has the correct credentials.
administrative users will likely use powershell commandlets to troubleshoot and maintain the environment. filter as needed.
administrator tooling or automated scripts may make these calls but it is highly unlikely to make several calls in a short period of time.
although not recommended, certain users may be exempt from multi-factor authentication. adjust the filter as necessary.
although not recommended, certain users may be required without multi-factor authentication. filter as needed
aws administrators may disable mfa but it is highly unlikely for this event to occur without prior notice to the company
details for the risk calculation algorithm used by identity protection are unknown and may be prone to false positives.
false positives have been minimized by removing attempts that result in 'mfa successfully completed messages', which were found to be generated when a user opts to use a different mfa method than the default. further reductions in finding events can be achieved through filtering 'mfa denied; duplicate authentication attempt' messages within the auth_msg field, as they could arguably be considered as false positives.
if an end-user incorrectly identifies normal activity as suspicious.
it is possible that some accounts do not have mfa enabled for the aws account however its agaisnt the best practices of securing aws.
it is uncommon for a user to log in from multiple cities simultaneously, which may indicate a false positive.
legitimate use case may require for users to disable mfa. filter as needed.
legitimate users may miss to reply the mfa challenge within the time window or deny it by mistake.
multiple failed mfa requests may also be a sign of authentication or application issues. filter as needed.
no known false positives for this detection. please review this alert
no known false postives for this detection. please review this alert
this detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of vpns or cloud services that rotate ip addresses. filter as needed.
users may genuinely mistype or forget the password.
users may genuinely reset the rds password.
when a legitimate new user logins for the first time, this activity will be detected. check how old the account is and verify that the user activity is legitimate.