Techniques
Sample rules
Detect AWS Console Login by User from New City
- source: splunk
- technicques:
- T1535
- T1586.003
Description
The following analytic identifies AWS console login events by users from a new city within the last hour. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen user locations. This activity is significant for a SOC as it may indicate unauthorized access or credential compromise, especially if the login originates from an unusual location. If confirmed malicious, this could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the cloud environment.
Detection logic
| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src
| iplocation Authentication.src
| `drop_dm_object_name(Authentication)`
| rename City as justSeenCity
| table firstTime lastTime user justSeenCity
| join user type=outer [
| inputlookup previously_seen_users_console_logins
| rename City as previouslySeenCity
| stats min(firstTime) AS earliestseen by user previouslySeenCity
| fields earliestseen user previouslySeenCity]
| eval userCity=if(firstTime >= relative_time(now(), "-24h@h"), "New City","Previously Seen City")
| where userCity = "New City"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime user previouslySeenCity justSeenCity userCity
| `detect_aws_console_login_by_user_from_new_city_filter`
Detect AWS Console Login by User from New Region
- source: splunk
- technicques:
- T1535
- T1586.003
Description
The following analytic identifies AWS console login attempts by users from a new region. It leverages AWS CloudTrail events and compares current login regions against a baseline of previously seen regions for each user. This activity is significant as it may indicate unauthorized access attempts or compromised credentials. If confirmed malicious, an attacker could gain unauthorized access to AWS resources, potentially leading to data breaches, resource manipulation, or further lateral movement within the cloud environment.
Detection logic
| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src
| iplocation Authentication.src
| `drop_dm_object_name(Authentication)`
| rename Region as justSeenRegion
| table firstTime lastTime user justSeenRegion
| join user type=outer [
| inputlookup previously_seen_users_console_logins
| rename Region as previouslySeenRegion
| stats min(firstTime) AS earliestseen by user previouslySeenRegion
| fields earliestseen user previouslySeenRegion]
| eval userRegion=if(firstTime >= relative_time(now(), "-24h@h"), "New Region","Previously Seen Region")
| where userRegion= "New Region"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime user previouslySeenRegion justSeenRegion userRegion
| `detect_aws_console_login_by_user_from_new_region_filter`
Detect AWS Console Login by New User
- source: splunk
- technicques:
- T1552
- T1586.003
Description
The following analytic detects AWS console login events by new users. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen users based on ARN values. This detection is significant because a new user logging into the AWS console could indicate the creation of new accounts or potential unauthorized access. If confirmed malicious, this activity could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the cloud environment.
Detection logic
| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user
| `drop_dm_object_name(Authentication)`
| join user type=outer [
| inputlookup previously_seen_users_console_logins
| stats min(firstTime) as earliestseen by user]
| eval userStatus=if(earliestseen >= relative_time(now(), "-24h@h") OR isnull(earliestseen), "First Time Logging into AWS Console", "Previously Seen User")
| where userStatus="First Time Logging into AWS Console"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `detect_aws_console_login_by_new_user_filter`
Detect AWS Console Login by User from New Country
- source: splunk
- technicques:
- T1535
- T1586.003
Description
The following analytic identifies AWS console login events by users from a new country. It leverages AWS CloudTrail events and compares them against a lookup file of previously seen users and their login locations. This activity is significant because logins from new countries can indicate potential unauthorized access or compromised accounts. If confirmed malicious, this could lead to unauthorized access to AWS resources, data exfiltration, or further exploitation within the AWS environment.
Detection logic
| tstats earliest(_time) as firstTime latest(_time) as lastTime from datamodel=Authentication where Authentication.signature=ConsoleLogin by Authentication.user Authentication.src
| iplocation Authentication.src
| `drop_dm_object_name(Authentication)`
| rename Country as justSeenCountry
| table firstTime lastTime user justSeenCountry
| join user type=outer [
| inputlookup previously_seen_users_console_logins
| rename Country as previouslySeenCountry
| stats min(firstTime) AS earliestseen by user previouslySeenCountry
| fields earliestseen user previouslySeenCountry]
| eval userCountry=if(firstTime >= relative_time(now(), "-24h@h"), "New Country","Previously Seen Country")
| where userCountry = "New Country"
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| table firstTime lastTime user previouslySeenCountry justSeenCountry userCountry
| `detect_aws_console_login_by_user_from_new_country_filter`