Rules Contributing to Suspicious AWS Login Failure

The following rules are used to identify suspicious AWS account login failure. Any one or more of these will trigger the AWS Cloud Account Login Failure alert. Details for each rule can be viewed by clicking the More Details link in the description.

Title

Description

AWS Console Login Failed During MFA Challenge

The following analytic identifies an authentication attempt event against an AWS Console that fails during the Multi Factor Authentication challenge.

More details

Rule ID

aws_117

Query

{'selection1': {'eventSource': 'signin.amazonaws.com'}, 'selection2': {'eventName': 'ConsoleLogin'}, 'selection3': {'errorMessage': 'Failed authentication'}, 'selection4': {'additionalEventData_MFAUsed': 'Yes'}, 'condition': 'selection1 and selection2 and selection3 and selection4'}

Log Source

Stellar Cyber AWS configured.

Rule Source

Developed internally by Stellar Cyber

Tactics, Techniques, and Procedures

TA0042, T1586

References

N/A

Severity

Suppression Logic Based On

service_id
eventSource
eventName
stellar.rule_id

Additional Information

Maturity	Creation Date	Risk Level	False Positives
production	2022-10-03	medium	Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake.