Try in Splunk Security Cloud


The following analytic identifies an AWS IAM account with concurrent sessions originating from more than one unique IP address within a 5-minute window. It leverages AWS CloudTrail logs, specifically the DescribeEventAggregates event, to detect this behavior. This activity is significant as it may indicate a session hijacking attack, where an adversary uses stolen session cookies to access AWS resources from a different location. If confirmed malicious, this could allow unauthorized access to sensitive corporate resources, leading to potential data breaches or further exploitation within the AWS environment.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2024-05-15
  • Author: Bhavin Patel, Splunk
  • ID: 51c04fdb-2746-465a-b86e-b413a09c9085




ID Technique Tactic
T1185 Browser Session Hijacking Collection
Kill Chain Phase
  • Exploitation
  • DE.CM
  • CIS 10
 `cloudtrail` eventName = DescribeEventAggregates src_ip!="AWS Internal" 
| bin span=5m _time 
| stats values(userAgent) values(eventName) values(src_ip) as src_ip  dc(src_ip) as distinct_ip_count by _time user_arn 
| where distinct_ip_count > 1 
| `aws_concurrent_sessions_from_different_ips_filter`


The SPL above uses the following Macros:

:information_source: aws_concurrent_sessions_from_different_ips_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • eventName
  • userAgent
  • errorCode
  • user_arn
  • aws_account_id
  • src_ip

How To Implement

You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.

Known False Positives

A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.

Associated Analytic Story


Risk Score Impact Confidence Message
42.0 70 60 User $user_arn$ has concurrent sessions from more than one unique IP address $src_ip$ in the span of 5 minutes.

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2