LoFP / it's strongly recommended that the root user is not used for everyday tasks, including the administrative ones. verify whether the ip address, location, and/or hostname should be logging in as root in your environment. unfamiliar root logins should be investigated immediately. if known behavior is causing false positives, it can be exempted from the rule.

Techniques

• T1078

Sample rules

AWS Management Console Root Login

• source: elastic
• technicques:
  • T1078

Description

Identifies a successful login to the AWS Management Console by the Root user.

Detection logic

event.dataset:aws.cloudtrail and 
event.provider:signin.amazonaws.com and 
event.action:ConsoleLogin and 
aws.cloudtrail.user_identity.type:Root and 
event.outcome:success