Potential brute force attack on AWS ConsoleLogin

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect when a user is a victim of an Account Take Over (ATO) by a brute force attack.

Strategy

This rule monitors CloudTrail and detects when any @evt.name has a value of Console Login, and @responseElements.ConsoleLogin has a value of Failure.

Triage and response

  1. Determine if the user logged in with 2FA.
  2. Reach out to the user and ensure the login was legitimate.

Changelog

  • 17 March 2022 - Updated rule query.
  • 10 February 2023 - Updated rule query.
  • 10 July 2023 - Updated group by fields.
PREVIEWING: antoine.dussault/service-representation-ga-docs-us1