ConsoleLogin event correlates privileged policy applying to a role

aws

Classification:

attack

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Correlate a brute force login with a privileged policy being applied to a role.

Strategy

Correlate the Potential brute force attack on AWS ConsoleLogin and cloudtrail AWS IAM AdministratorAccess policy was applied to a role signals based on the ARN: {{@userIdentity.arn}}.

Triage and response

  1. Set signal triage state to Under Review.
  2. Determine if the brute force attack was successful.
    • If the login was not legitimate:
      • Revert the privileged policy change
      • Rotate credentials on the brute forced account
      • Enable MFA if it is not already
    • If the login was legitimate:
      • Triage the signal as a false positive
PREVIEWING: esther/docs-9478-fix-split-after-example