Techniques
Sample rules
Detect AWS Console Login by User from New Region
- source: splunk
- technicques:
- T1586
- T1586.003
- T1535
Description
This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour
Detection logic
| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src
| iplocation Authentication.src
| `drop_dm_object_name(Authentication)`
| rename Region as justSeenRegion
| table firstTime lastTime user justSeenRegion
| join user type=outer [
| inputlookup previously_seen_users_console_logins
| rename Region as previouslySeenRegion
| stats min(firstTime) AS earliestseen by user previouslySeenRegion
| fields earliestseen user previouslySeenRegion]
| eval userRegion=if(firstTime >= relative_time(now(), "-24h@h"), "New Region","Previously Seen Region")
| where userRegion= "New Region"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime user previouslySeenRegion justSeenRegion userRegion
| `detect_aws_console_login_by_user_from_new_region_filter`
Detect AWS Console Login by User from New City
- source: splunk
- technicques:
- T1586
- T1586.003
- T1535
Description
This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour
Detection logic
| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src
| iplocation Authentication.src
| `drop_dm_object_name(Authentication)`
| rename City as justSeenCity
| table firstTime lastTime user justSeenCity
| join user type=outer [
| inputlookup previously_seen_users_console_logins
| rename City as previouslySeenCity
| stats min(firstTime) AS earliestseen by user previouslySeenCity
| fields earliestseen user previouslySeenCity]
| eval userCity=if(firstTime >= relative_time(now(), "-24h@h"), "New City","Previously Seen City")
| where userCity = "New City"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime user previouslySeenCity justSeenCity userCity
| `detect_aws_console_login_by_user_from_new_city_filter`
Detect AWS Console Login by User from New Country
- source: splunk
- technicques:
- T1586
- T1586.003
- T1535
Description
This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour
Detection logic
| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src
| iplocation Authentication.src
| `drop_dm_object_name(Authentication)`
| rename Country as justSeenCountry
| table firstTime lastTime user justSeenCountry
| join user type=outer [
| inputlookup previously_seen_users_console_logins
| rename Country as previouslySeenCountry
| stats min(firstTime) AS earliestseen by user previouslySeenCountry
| fields earliestseen user previouslySeenCountry]
| eval userCountry=if(firstTime >= relative_time(now(), "-24h@h"), "New Country","Previously Seen Country")
| where userCountry = "New Country"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime user previouslySeenCountry justSeenCountry userCountry
| `detect_aws_console_login_by_user_from_new_country_filter`
Detect AWS Console Login by New User
- source: splunk
- technicques:
- T1586
- T1586.003
- T1552
Description
This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour
Detection logic
| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user
| `drop_dm_object_name(Authentication)`
| join user type=outer [
| inputlookup previously_seen_users_console_logins
| stats min(firstTime) as earliestseen by user]
| eval userStatus=if(earliestseen >= relative_time(now(), "-24h@h") OR isnull(earliestseen), "First Time Logging into AWS Console", "Previously Seen User")
| where userStatus="First Time Logging into AWS Console"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_aws_console_login_by_new_user_filter`
Detect new user AWS Console Login
- source: splunk
- technicques:
- T1078.004
Description
This search looks for AWS CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour. Deprecated now this search is updated to use the Authentication datamodel.
Detection logic
`cloudtrail` eventName=ConsoleLogin
| rename userIdentity.arn as user
| stats earliest(_time) as firstTime latest(_time) as lastTime by user
| inputlookup append=t previously_seen_users_console_logins_cloudtrail
| stats min(firstTime) as firstTime max(lastTime) as lastTime by user
| eval userStatus=if(firstTime >= relative_time(now(), "-70m@m"), "First Time Logging into AWS Console","Previously Seen User")
| `security_content_ctime(firstTime)`
|`security_content_ctime(lastTime)`
| where userStatus ="First Time Logging into AWS Console"
| `detect_new_user_aws_console_login_filter`