Data Source: AWS CloudTrail ConsoleLogin

Date: 2025-01-23

ID: b68b3f26-bd21-4fa8-b593-616fe75ac0ae

Author: Patrick Bareiss, Splunk

Description

Logs attempts to sign in to the AWS Management Console, including successful and failed login events.

Details

Property	Value
Source	`aws_cloudtrail`
Sourcetype	`aws:cloudtrail`
Separator	eventName

Name ▲▼	Technique ▲▼	Type ▲▼
AWS Console Login Failed During MFA Challenge	Cloud Accounts, Multi-Factor Authentication Request Generation	TTP
AWS CreateLoginProfile	Cloud Account	TTP
AWS Credential Access Failed Login	Password Guessing, Cloud Accounts	TTP
AWS High Number Of Failed Authentications For User	Password Policy Discovery	Anomaly
AWS High Number Of Failed Authentications From Ip	Password Spraying, Credential Stuffing	Anomaly
AWS Multiple Failed MFA Requests For User	Cloud Accounts, Multi-Factor Authentication Request Generation	Anomaly
AWS Multiple Users Failing To Authenticate From Ip	Password Spraying, Credential Stuffing	Anomaly
AWS Successful Console Authentication From Multiple IPs	Compromise Accounts, Unused/Unsupported Cloud Regions	Anomaly
AWS Successful Single-Factor Authentication	Cloud Accounts, Cloud Accounts	TTP
AWS Unusual Number of Failed Authentications From Ip	Password Spraying, Credential Stuffing, Cloud Accounts	Anomaly

Supported Apps

Splunk Add-on for AWS (version 8.1.0)

Event Fields

+ Fields

  <span class="pill kill-chain">_time</span>
  
  <span class="pill kill-chain">action</span>
  
  <span class="pill kill-chain">additionalEventData.LoginTo</span>
  
  <span class="pill kill-chain">additionalEventData.MFAUsed</span>
  
  <span class="pill kill-chain">additionalEventData.MobileVersion</span>
  
  <span class="pill kill-chain">app</span>
  
  <span class="pill kill-chain">authentication_method</span>
  
  <span class="pill kill-chain">awsRegion</span>
  
  <span class="pill kill-chain">aws_account_id</span>
  
  <span class="pill kill-chain">command</span>
  
  <span class="pill kill-chain">date_hour</span>
  
  <span class="pill kill-chain">date_mday</span>
  
  <span class="pill kill-chain">date_minute</span>
  
  <span class="pill kill-chain">date_month</span>
  
  <span class="pill kill-chain">date_second</span>
  
  <span class="pill kill-chain">date_wday</span>
  
  <span class="pill kill-chain">date_year</span>
  
  <span class="pill kill-chain">date_zone</span>
  
  <span class="pill kill-chain">desc</span>
  
  <span class="pill kill-chain">dest</span>
  
  <span class="pill kill-chain">dvc</span>
  
  <span class="pill kill-chain">errorCode</span>
  
  <span class="pill kill-chain">errorMessage</span>
  
  <span class="pill kill-chain">eventCategory</span>
  
  <span class="pill kill-chain">eventID</span>
  
  <span class="pill kill-chain">eventName</span>
  
  <span class="pill kill-chain">eventSource</span>
  
  <span class="pill kill-chain">eventTime</span>
  
  <span class="pill kill-chain">eventType</span>
  
  <span class="pill kill-chain">eventVersion</span>
  
  <span class="pill kill-chain">eventtype</span>
  
  <span class="pill kill-chain">host</span>
  
  <span class="pill kill-chain">index</span>
  
  <span class="pill kill-chain">linecount</span>
  
  <span class="pill kill-chain">managementEvent</span>
  
  <span class="pill kill-chain">msg</span>
  
  <span class="pill kill-chain">object_category</span>
  
  <span class="pill kill-chain">product</span>
  
  <span class="pill kill-chain">punct</span>
  
  <span class="pill kill-chain">readOnly</span>
  
  <span class="pill kill-chain">reason</span>
  
  <span class="pill kill-chain">recipientAccountId</span>
  
  <span class="pill kill-chain">region</span>
  
  <span class="pill kill-chain">requestParameters</span>
  
  <span class="pill kill-chain">responseElements.ConsoleLogin</span>
  
  <span class="pill kill-chain">result</span>
  
  <span class="pill kill-chain">signature</span>
  
  <span class="pill kill-chain">source</span>
  
  <span class="pill kill-chain">sourceIPAddress</span>
  
  <span class="pill kill-chain">sourcetype</span>
  
  <span class="pill kill-chain">splunk_server</span>
  
  <span class="pill kill-chain">src</span>
  
  <span class="pill kill-chain">src_ip</span>
  
  <span class="pill kill-chain">start_time</span>
  
  <span class="pill kill-chain">status</span>
  
  <span class="pill kill-chain">tag</span>
  
  <span class="pill kill-chain">tag::action</span>
  
  <span class="pill kill-chain">tag::eventtype</span>
  
  <span class="pill kill-chain">timeendpos</span>
  
  <span class="pill kill-chain">timestartpos</span>
  
  <span class="pill kill-chain">tlsDetails.cipherSuite</span>
  
  <span class="pill kill-chain">tlsDetails.clientProvidedHostHeader</span>
  
  <span class="pill kill-chain">tlsDetails.tlsVersion</span>
  
  <span class="pill kill-chain">userAgent</span>
  
  <span class="pill kill-chain">userIdentity.accessKeyId</span>
  
  <span class="pill kill-chain">userIdentity.accountId</span>
  
  <span class="pill kill-chain">userIdentity.type</span>
  
  <span class="pill kill-chain">userIdentity.userName</span>
  
  <span class="pill kill-chain">user_access_key</span>
  
  <span class="pill kill-chain">user_agent</span>
  
  <span class="pill kill-chain">user_group_id</span>
  
  <span class="pill kill-chain">user_name</span>
  
  <span class="pill kill-chain">user_type</span>
  
  <span class="pill kill-chain">vendor</span>
  
  <span class="pill kill-chain">vendor_account</span>
  
  <span class="pill kill-chain">vendor_product</span>
  
  <span class="pill kill-chain">vendor_region</span>
  
</div>

Example Log

1{"eventVersion": "1.08", "userIdentity": {"type": "IAMUser", "accountId": "111111111111", "accessKeyId": "", "userName": "HIDDEN_DUE_TO_SECURITY_REASONS"}, "eventTime": "2022-10-19T20:33:38Z", "eventSource": "signin.amazonaws.com", "eventName": "ConsoleLogin", "awsRegion": "us-east-1", "sourceIPAddress": "142.254.89.27", "userAgent": "Go-http-client/1.1", "errorMessage": "No username found in supplied account", "requestParameters": null, "responseElements": {"ConsoleLogin": "Failure"}, "additionalEventData": {"LoginTo": "https://console.aws.amazon.com", "MobileVersion": "No", "MFAUsed": "No"}, "eventID": "9fcfb8c3-3fca-48db-85d2-7b107f9d95d0", "readOnly": false, "eventType": "AwsConsoleSignIn", "managementEvent": true, "recipientAccountId": "111111111111", "eventCategory": "Management", "tlsDetails": {"tlsVersion": "TLSv1.2", "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256", "clientProvidedHostHeader": "signin.aws.amazon.com"}}

Required Output Fields

dest
user
user_agent
src
vendor_account
vendor_region
vendor_product

Source: GitHub | Version: 2