Detect AWS Console Login By User From New Region

Description

This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour

Content Mapping

This content is not mapped to any local saved search. Add mapping


Use Case

Security Monitoring

Category

Cloud Security, SaaS

Alert Volume

This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour

SPL Difficulty

None

Journey

Stage 3

MITRE ATT&CK Tactics

Defense Evasion

MITRE ATT&CK Techniques

Unused/Unsupported Cloud Regions

Unused/Unsupported Cloud Regions

Kill Chain Phases

Actions On Objectives

Data Sources

AWS
Audit Trail

   Help

Detect AWS Console Login By User From New Region Help

You must be ingesting your cloud infrastructure logs from your cloud provider. You should run the baseline search Previously seen users in CloudTrail - Initial to build the initial table of source IP address, geographic locations, and times. You must also enable the second baseline search Previously Seen users in Cloudtrail - Update to keep this table up to date and to age out old data. You can also provide additional filtering for this search by customizing the detect_aws_console_login_by_user_from_new_region_filter macro.

   Search

Open in Search