This search looks for AWS CloudTrail events where a user A(victim A) creates a login profile for user B, followed by a AWS Console login event from user B from the same srcip as user B. This correlated event can be indicative of privilege escalation since both events happened from the same srcip
AWS Createloginprofile Help
You must install splunk AWS add on and Splunk App for AWS. This search works with AWS CloudTrail logs.
Open in Search