Sample rules
Azure AD Concurrent Sessions From Different Ips
- source: splunk
- technicques:
- T1185
Description
The following analytic detects an Azure AD account with concurrent sessions originating from multiple unique IP addresses within a 5-minute window. It leverages Azure Active Directory NonInteractiveUserSignInLogs to identify this behavior by analyzing successful authentication events and counting distinct source IPs. This activity is significant as it may indicate session hijacking, where an attacker uses stolen session cookies to access corporate resources from a different location. If confirmed malicious, this could lead to unauthorized access to sensitive information and potential data breaches.
Detection logic
`azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs action=success
| rename properties.* as *
| bucket span=5m _time
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime dc(src) as unique_ips values(dest) as dest values(src) as src values(user_agent) as user_agent by user _time vendor_account vendor_product category
| where unique_ips > 1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_concurrent_sessions_from_different_ips_filter`
ASL AWS Concurrent Sessions From Different Ips
- source: splunk
- technicques:
- T1185
Description
The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute span. This detection leverages AWS CloudTrail logs, specifically the DescribeEventAggregates API call, to identify multiple IP addresses associated with the same user session. This behavior is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this activity could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation.
Detection logic
`amazon_security_lake` api.operation=DescribeEventAggregates src_endpoint.domain!="AWS Internal"
| bin span=5m _time
| stats min(_time) as firstTime max(_time) as lastTime values(api.operation) as api.operation values(api.service.name) as api.service.name values(http_request.user_agent) as http_request.user_agent values(src_endpoint.ip) as src_ip values(actor.user.account.uid) as actor.user.account.uid values(cloud.provider) as cloud.provider values(cloud.region) as cloud.region dc(src_endpoint.ip) as distinct_ip_count by _time actor.user.uid
| where distinct_ip_count > 1
| rename actor.user.uid as user api.operation as action api.service.name as dest http_request.user_agent as user_agent src_endpoint.ip as src actor.user.account.uid as vendor_account cloud.provider as vendor_product cloud.region as vendor_region
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `asl_aws_concurrent_sessions_from_different_ips_filter`
AWS Concurrent Sessions From Different Ips
- source: splunk
- technicques:
- T1185
Description
The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute window. It leverages AWS CloudTrail logs, specifically the DescribeEventAggregates event, to detect this behavior. This activity is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation within the AWS environment.
Detection logic
`cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal"
| bin span=5m _time
| rename user_name as user
| stats min(_time) as firstTime max(_time) as lastTime values(user_agent) as user_agent values(signature) as signature values(src) as src values(dest) as dest dc(src) as distinct_ip_count by _time user vendor_account vendor_region vendor_product
| where distinct_ip_count > 1
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| `aws_concurrent_sessions_from_different_ips_filter`