LoFP / legitimate failed login attempts by authorized users. investigate the source of repeated failed login attempts.

Techniques

• t1110

Sample rules

AWS ConsoleLogin Failed Authentication

• source: sigma
• technicques:
  • t1110

Description

Detects failed AWS console login attempts due to authentication failures. Monitoring these events is crucial for identifying potential brute-force attacks or unauthorized access attempts to AWS accounts.

Detection logic

condition: selection
selection:
  errorMessage: Failed authentication
  eventName: ConsoleLogin