Sample rules
AWS Concurrent Sessions From Different Ips
- source: splunk
- technicques:
- T1185
Description
The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute window. It leverages AWS CloudTrail logs, specifically the DescribeEventAggregates event, to detect this behavior. This activity is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation within the AWS environment.
Detection logic
`cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal"
| bin span=5m _time
| stats values(userAgent) values(eventName) values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn
| where distinct_ip_count > 1
| `aws_concurrent_sessions_from_different_ips_filter`
ASL AWS Concurrent Sessions From Different Ips
- source: splunk
- technicques:
- T1185
Description
The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute span. This detection leverages AWS CloudTrail logs, specifically the DescribeEventAggregates API call, to identify multiple IP addresses associated with the same user session. This behavior is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this activity could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation.
Detection logic
`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal"
| bin span=5m _time
| stats values(src_endpoint.ip) as src_ip dc(src_endpoint.ip) as distinct_ip_count by _time identity.user.credential_uid identity.user.name
| where distinct_ip_count > 1
| rename identity.user.name as user
| `asl_aws_concurrent_sessions_from_different_ips_filter`
Azure AD Concurrent Sessions From Different Ips
- source: splunk
- technicques:
- T1185
Description
The following analytic detects an Azure AD account with concurrent sessions originating from multiple unique IP addresses within a 5-minute window. It leverages Azure Active Directory NonInteractiveUserSignInLogs to identify this behavior by analyzing successful authentication events and counting distinct source IPs. This activity is significant as it may indicate session hijacking, where an attacker uses stolen session cookies to access corporate resources from a different location. If confirmed malicious, this could lead to unauthorized access to sensitive information and potential data breaches.
Detection logic
`azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs action=success
| rename properties.* as *
| bucket span=5m _time
| stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips dc(location.city) as dc_city values(location.city) as city values(src_ip) as src_ip values(appDisplayName) as appDisplayName values(location.countryOrRegion) by user _time
| where unique_ips > 1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_concurrent_sessions_from_different_ips_filter`