AWS ConsoleLogin with MFA triggered Impossible Travel scenario

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect an Impossible Travel event when a @userIdentity.type: {{@userIdentity.type}} performs a consoleLogin with a multi-factor authentication (MFA) device.

Strategy

The Impossible Travel detection type’s algorithm compares the GeoIP data of the last log and the current log to determine if the user with @userIdentity.session_name: {{@userIdentity.session_name}} traveled more than 500km at over 1,000km/h and the user used MFA.

Triage and response

  1. Determine if {{@userIdentity.session_name}} should be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}} in a short period of time.
  2. If the user should not be connecting from {{@impossible_travel.triggering_locations.first_location.city}}, {{@impossible_travel.triggering_locations.first_location.country}} and {{@impossible_travel.triggering_locations.second_location.city}}, {{@impossible_travel.triggering_locations.second_location.country}}, then consider isolating the account and reset credentials.
  3. Use the Cloud SIEM - User Investigation dashboard to audit any user actions that may have occurred after the illegitimate login.

Changelog

  • 10 March 2022 - Updated rule.
  • 15 December 2022 - Updated rule to cover edge case.
  • 30 September 2024 - Updated query to replace attribute @threat_intel.results.subcategory:anonymizer.
PREVIEWING: rtrieu/product-analytics-ui-changes