Name:AWS Successful Console Authentication From Multiple IPs id:395e50e1-2b87-4fa3-8632-0dfbdcbcd2cb version:7 date:2024-11-14 author:Bhavin Patel, Splunk status:production type:Anomaly Description:The following analytic detects an AWS account successfully authenticating from multiple unique IP addresses within a 5-minute window. It leverages AWS CloudTrail logs, specifically monitoring `ConsoleLogin` events and counting distinct source IPs. This behavior is significant as it may indicate compromised credentials, potentially from a phishing attack, being used concurrently by an adversary and a legitimate user. If confirmed malicious, this activity could allow unauthorized access to corporate resources, leading to data breaches or further exploitation within the AWS environment. Data_source:
-AWS CloudTrail ConsoleLogin
search:`cloudtrail` eventName = ConsoleLogin | bin span=5m _time | rename user_name as user | stats dc(src) as distinct_ip_count values(src) as src values(user_agent) as user_agent values(dest) as dest by _time, user, signature, vendor_account, vendor_region, vendor_product | where distinct_ip_count>1 | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `aws_successful_console_authentication_from_multiple_ips_filter`
how_to_implement:You must install Splunk AWS add on and Splunk App for AWS. This search works when AWS CloudTrail events are normalized use the Authentication datamodel. known_false_positives:A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment. References: -https://rhinosecuritylabs.com/aws/mfa-phishing-on-aws/ drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") starthoursago=168 | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' tags: analytic_story: - 'Suspicious AWS Login Activities' - 'Compromised User Account' asset_type:AWS Account mitre_attack_id: - 'T1586' - 'T1535' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:threat
