AWS High Number Of Failed Authentications For User
Description
The following analytic identifies an AWS account with more than 20 failed authentication events in the span of 5 minutes. This behavior could represent a brute force attack against the account. As environments differ across organizations, security teams should customize the threshold of this detection.
- Type: Anomaly
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2023-01-27
- Author: Bhavin Patel, Splunk
- ID: e3236f49-daf3-4b70-b808-9290912ac64d
Annotations
Kill Chain Phase
- Exploitation
NIST
- DE.AE
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
`cloudtrail` eventName=ConsoleLogin action=failure
| bucket span=10m _time
| stats dc(_raw) AS failed_attempts values(src_ip) as src_ip values(user_agent) by _time, user_name, eventName, eventSource aws_account_id
| where failed_attempts > 20
| `aws_high_number_of_failed_authentications_for_user_filter`
Macros
The SPL above uses the following Macros:
aws_high_number_of_failed_authentications_for_user_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- eventName
- userAgent
- errorCode
- requestParameters.userName
- eventSource
- user_arn
- aws_account_id
- src_ip
How To Implement
You must install Splunk AWS Add on and Splunk App for AWS. This search works with AWS CloudTrail logs.
Known False Positives
A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.
Associated Analytic Story
RBA
| Risk Score | Impact | Confidence | Message |
|---|---|---|---|
| 35.0 | 50 | 70 | User $user_name$ failed to authenticate more than 20 times in the span of 5 minutes for AWS Account $aws_account_id$ |
Reference
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 1