Name:AWS High Number Of Failed Authentications For User id:e3236f49-daf3-4b70-b808-9290912ac64d version:3 date:2024-09-30 author:Bhavin Patel, Splunk status:production type:Anomaly Description:The following analytic detects an AWS account experiencing more than 20 failed authentication attempts within a 5-minute window. It leverages AWS CloudTrail logs to identify multiple failed ConsoleLogin events. This behavior is significant as it may indicate a brute force attack targeting the account. If confirmed malicious, the attacker could potentially gain unauthorized access, leading to data breaches or further exploitation of the AWS environment. Security teams should consider adjusting the threshold based on their specific environment to reduce false positives. Data_source:
-AWS CloudTrail ConsoleLogin
search:`cloudtrail` eventName=ConsoleLogin action=failure | bucket span=10m _time | stats dc(_raw) AS failed_attempts values(src_ip) as src_ip values(user_agent) by _time, user_name, eventName, eventSource aws_account_id | where failed_attempts > 20 | `aws_high_number_of_failed_authentications_for_user_filter`
how_to_implement:You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs. known_false_positives:A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. References: -https://www.trendmicro.com/cloudoneconformity/knowledge-base/aws/IAM/password-policy.html drilldown_searches: name:'View the detection results for - "$user_name$"' search:'%original_detection_search% | search user_name = "$user_name$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user_name$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user_name$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Compromised User Account' - 'AWS Identity and Access Management Account Takeover' asset_type:AWS Account confidence:70 impact:50 message:User $user_name$ failed to authenticate more than 20 times in the span of 5 minutes for AWS Account $aws_account_id$ mitre_attack_id: - 'T1201' observable: name:'user_name' type:'User' - role: - 'Victim' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' required_fields: - '_time' - 'eventName' - 'userAgent' - 'errorCode' - 'requestParameters.userName' - 'eventSource' - 'user_arn' - 'aws_account_id' - 'src_ip' risk_score:35 security_domain:threat
