Detect AWS Console Login By User From New Region

Description

This search looks for CloudTrail events wherein a console login event by a user was recorded within the last hour, then compares the event to a lookup file of previously seen users (by ARN values) who have logged into the console. The alert is fired if the user has logged into the console for the first time within the last hour

   Help

Detect AWS Console Login By User From New Region Help

You must install and configure the Splunk Add-on for AWS (version 5.1.0 or later) and Enterprise Security 6.2, which contains the required updates to the Authentication data model for cloud use cases. Run the Previously Seen Users in CloudTrail - Initial support search only once to create a baseline of previously seen IAM users within the last 30 days. Run Previously Seen Users in CloudTrail - Update hourly (or more frequently depending on how often you run the detection searches) to refresh the baselines. You can also provide additional filtering for this search by customizing the detect_aws_console_login_by_user_from_new_region_filter macro.

   Search

Open in Search

   Baseline Generation Searches

This detection relies on the following searches to generate the baseline lookup.

  • Previously seen users in CloudTrail
  • Previously Seen Users in CloudTrail - Initial
  • Previously Seen Users In CloudTrail - Update
  • Update previously seen users in CloudTrail