Techniques
Sample rules
AWS Successful Console Authentication From Multiple IPs
- source: splunk
- technicques:
- T1586
- T1535
Description
The following analytic identifies an AWS account successfully authenticating from more than one unique Ip address in the span of 5 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.
Detection logic
`cloudtrail` eventName = ConsoleLogin
| bin span=5m _time
| stats values(userAgent) as userAgent values(eventName) as eventName values(src_ip) as src_ip dc(src_ip) as distinct_ip_count by _time user_arn
| where distinct_ip_count>1
| `aws_successful_console_authentication_from_multiple_ips_filter`
Azure AD Successful Authentication From Different Ips
- source: splunk
- technicques:
- T1110
- T1110.001
- T1110.003
Description
The following analytic identifies an Azure AD account successfully authenticating from more than one unique Ip address in the span of 30 minutes. This behavior could represent an adversary who has stolen credentials via a phishing attack or some other method and using them to access corporate online resources around the same time as a legitimate user. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.
Detection logic
`azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=SignInLogs
| rename properties.* as *
| bucket span=30m _time
| stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where unique_ips > 1
| `azure_ad_successful_authentication_from_different_ips_filter`